Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oliver_Matt
Contributor
Jump to solution

Upgrade of Mgmt Server to 81.10 broke Threat Prevention

Hello Community,

we've upgraded our management server to version R81.10 while our gateways are still on R80.40 with the latest jumbo hotfix. As soon as the policy (access & threat prevention) was installed the first time via the updated server our complete threat prevention rule set went out of service.

We are only able to see logs which are created by the 39 Core Protections. No more logs are shown for IPS, Anti-Bot, Anti Virus.

By checking one of the logs from a core protection we saw that the name of our threat profile changed from our usual name to "No_protection_1b58..."

2022-04-21 13_41_02-Log Details.png

When I click on the "No_protection_1b58..." threat profile I get forwarded to our currently active threat prevention profile.

We've tried almost anything:

Creating new threat profiles and add them to our threat prevention custom policy
Creating new profiles for the 39 core protections and inspection settings
Creating new threat prevention layers

None off this worked out. Beside of the 39 core protections threat prevention is not showing any logs anymore and we are pretty sure that it's currently not working.

What do we miss? Any help would be highly appreciated.

Kind regards

Oliver

0 Kudos
1 Solution

Accepted Solutions
Oliver_Matt
Contributor

Solved: We've updated our Gateways to Version R81.10. IPS & TP Logs are displayed again.

View solution in original post

0 Kudos
11 Replies
_Val_
Admin
Admin

Pleas raise a TAC case for this

0 Kudos
the_rock
Legend
Legend

@_Val_ is right, this warrants TAC case for sure. In the meantime, cant say I ever seen this myself personally, but, can you verify that nothing changed as far as threat prevention policy? Does it look same as before?

Andy

0 Kudos
Oliver_Matt
Contributor

@_Val_, @the_rock  - Thx for your quick response. We've double checked it a few time. Nothing has change on the threat prevention policy - looks exactly the same as before. We'll get in touch with TAC.

Oliver

0 Kudos
the_rock
Legend
Legend

Something I would try...see if you can uninstall threat prevention policy and then install it again, or, not sure what blades are on, but maybe disable them, push policy and then re-check same blades, install policy. Are threat prevention profiles still intact?

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

It appears that when the log is generated by the firewall it is not correctly identifying the matching TP policy profile, what does fw stat -b AMW show when run on the firewall?  If it shows a loaded TP policy, TP is probably still working and this looks like a cosmetic log issue to me.

Verifying that TP is still working as expected is very important when tweaking and tuning the TP config, here is an excerpt from my IPS/AV/ABOT Immersion series discussing this topic that should allow you to verify TP is still working as expected:

test1.pngtest2.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Oliver_Matt
Contributor

Hello Timothy,

thank you for your input - it appears that your command shows that our TP profile is loaded. We've already opened a TAC case with CP. Let's hop that it's only a cosmetic issue.

Oliver

0 Kudos
Shiran_Gold
Employee
Employee

Hey Oliver,

Was a TAC SR raised?

please check your inbox, I sent you a private message
I would like to follow up with you on that issue

0 Kudos
Oliver_Matt
Contributor

Hello Shiran,

I've sent you an email.

Kind regards

Oliver

0 Kudos
the_rock
Legend
Legend

Please let us know how this gets resolved. Thanks very much!

Andy

0 Kudos
Oliver_Matt
Contributor

Hi all,

we got told that it is only a cosmetic bug. IPS / TP is running and enforcing protections but we are not able to see the according logs. There will be a hotfix for this in the next Jumbo Hotfix which has no ETA as of now.

Well - who cares about logs? 🤔

We will upgrade our gateways to R81.10 soon and hope that this might get our logs back. Otherwise we have to wait for the next JHF.

Oliver 

0 Kudos
Oliver_Matt
Contributor

Solved: We've updated our Gateways to Version R81.10. IPS & TP Logs are displayed again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events