Re: Threat Prevention logs

Samphas1 · ‎2023-04-03

Hi CP,

Regrading to Threat Prevention log if we not see a few days it's cause from Policy or anything ?

Chris_Atkinson · ‎2023-04-03

Could be several things probably best reviewed via a remote session rather than guessing.

With that said are you still receiving normal firewall logs from the same Gateways or no?

CCSM R77/R80/ELITE

Samphas1 · ‎2023-04-03

Hi @Chris_Atkinson

We got the firewall logs as normal on the same gateway. And just last few days that we did not get threat prevention logs.

Chris_Atkinson · ‎2023-04-03

Which JHF take is applied to this environment and are the relevant Threat Prevention blades still enabled on the gateway object?

Additionally would anyone have configured fast_accel rules recently?

Again, probably best to contact TAC to review via a remote session.

CCSM R77/R80/ELITE

Samphas1 · ‎2023-04-06

Hi @Chris_Atkinson

Threat prevention blades are still enable on the gateway object and as I mention we did not change anything on on that.

Chris_Atkinson · ‎2023-04-06

Again please provide all the requested info as follows:

- Which Jumbo/JHF version is installed on-top of R81.10?

- Output of command: fw stat -b AMW

- Run CheckME and review logs

If you don't wish to do so here for whatever reason then please consult further with TAC via a remote session to diagnose the problem more efficiently.

CCSM R77/R80/ELITE

Samphas1 · ‎2023-04-06

Hi @Chris_Atkinson

May I ask you, Normally threat prevention logs are always detect right?

Chris_Atkinson · ‎2023-04-06

No they will typically be either Detect or Prevent depending on your configuration/policy and the type of threat encountered.

Please review your smartlog filters...

CCSM R77/R80/ELITE

Samphas1 · ‎2023-04-06

Hi @Chris_Atkinson

Yes, I concern because it's just last week that I can not see the logs detection and prevention. That I think it may any issue.

Samphas1 · ‎2023-04-07

Hi @Chris_Atkinson

what are different between the below log:

- blade:IPS

- Threat Prevention:

Chris_Atkinson · ‎2023-04-07

There isn't sufficient information available here to say apart from the obvious categories

Please expand the IPS log card if you need further insight

CCSM R77/R80/ELITE

Machine_Head · ‎2023-04-03

Might just be that the gateway is not sending logs:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Or some configuration issue.

Did you see TP logs before?

Do you see firewall logs?

Might be that the rule is set not to track?

Tal_Paz-Fridman · ‎2023-04-03

Can you check the Threat Prevention Policy is installed properly?

Please share the output of fw stat -b AMW on the Security Gateway

Samphas1 · ‎2023-04-03

Hi @Timothy_Hall

We did not change anything on threat prevention policy. And just last few days did not get threat prevention logs.

Timothy_Hall · ‎2023-04-03

Please provide output of fw stat -b AMW run on the gateway as requested earlier in the thread.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Timothy_Hall · ‎2023-04-03

http://www.cpcheckme.com will light up your Threat Prevention logs and tell you if it is working correctly.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Are you a member of CheckMates?

Threat Prevention logs