This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Samphas1
Participant
‎2023-04-03 02:35 AM

Threat Prevention logs

Hi CP, 

Regrading to Threat Prevention log if we not see a few days it's cause from Policy or anything ?

0 Kudos
15 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-04-03 04:55 AM

Could be several things probably best reviewed via a remote session rather than guessing.

With that said are you still receiving normal firewall logs from the same Gateways or no? 

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant
‎2023-04-03 05:55 PM
In response to Chris_Atkinson

Hi @Chris_Atkinson 

We got the firewall logs as normal on the same gateway. And just last few days that we did not get threat prevention logs.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-03 06:16 PM
In response to Samphas1

Which JHF take is applied to this environment and are the relevant Threat Prevention blades still enabled on the gateway object?

Additionally would anyone have configured fast_accel rules recently?

Again, probably best to contact TAC to review via a remote session.

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant
‎2023-04-06 05:59 PM
In response to Chris_Atkinson

Hi @Chris_Atkinson 

Threat prevention blades are still enable on the gateway object and as I mention we did not change anything on on that.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-06 07:54 PM
In response to Samphas1

Again please provide all the requested info as follows:

- Which Jumbo/JHF version is installed on-top of R81.10?

- Output of command:  fw stat -b AMW 

- Run CheckME and review logs

 

If you don't wish to do so here for whatever reason then please consult further with TAC via a remote session to diagnose the problem more  efficiently. 

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant
‎2023-04-06 08:34 PM
In response to Chris_Atkinson

Hi @Chris_Atkinson

May I ask you, Normally threat prevention logs are always detect right?

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-06 08:42 PM
In response to Samphas1

No they will typically be either Detect or Prevent depending on your configuration/policy and the type of threat encountered.

Please review your smartlog filters...

CCSM R77/R80/ELITE
0 Kudos
Samphas1
Participant
‎2023-04-06 09:21 PM
In response to Chris_Atkinson

Hi @Chris_Atkinson 

Yes, I concern because it's just last week that I can not see the logs detection and prevention. That I think it may any issue.

0 Kudos
Samphas1
Participant
‎2023-04-07 02:49 AM
In response to Chris_Atkinson

Hi @Chris_Atkinson 

what are different between the below log:

 - blade:IPS  

Blade_IPS.PNG

- Threat Prevention:

Threat prevention.PNG

 
 
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-04-07 08:26 AM
In response to Samphas1

There isn't sufficient information available here to say apart from the obvious categories

Please expand the IPS log card if you need further insight 

CCSM R77/R80/ELITE
0 Kudos
Machine_Head
Collaborator
Collaborator
‎2023-04-03 05:33 AM

Might just be that the gateway is not sending logs:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Or some configuration issue.


Did you see TP logs before?

Do you see firewall logs?

Might be that the rule is set not to track?

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2023-04-03 09:26 AM

Can you check the Threat Prevention Policy is installed properly?

Please share the output of fw stat -b AMW on the Security Gateway

0 Kudos
Samphas1
Participant
‎2023-04-03 05:57 PM
In response to Tal_Paz-Fridman

Hi @Timothy_Hall 

We did not change anything on threat prevention policy. And just last few days did not get threat prevention logs.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-04-03 06:31 PM
In response to Samphas1

Please provide output of fw stat -b AMW run on the gateway as requested earlier in the thread.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-04-03 01:45 PM

http://www.cpcheckme.com will light up your Threat Prevention logs and tell you if it is working correctly.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top