This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_Matt
Contributor
‎2022-04-21 04:59 AM
Jump to solution

Upgrade of Mgmt Server to 81.10 broke Threat Prevention

Hello Community,

we've upgraded our management server to version R81.10 while our gateways are still on R80.40 with the latest jumbo hotfix. As soon as the policy (access & threat prevention) was installed the first time via the updated server our complete threat prevention rule set went out of service.

We are only able to see logs which are created by the 39 Core Protections. No more logs are shown for IPS, Anti-Bot, Anti Virus.

By checking one of the logs from a core protection we saw that the name of our threat profile changed from our usual name to "No_protection_1b58..."

2022-04-21 13_41_02-Log Details.png

When I click on the "No_protection_1b58..." threat profile I get forwarded to our currently active threat prevention profile.

We've tried almost anything:

Creating new threat profiles and add them to our threat prevention custom policy
Creating new profiles for the 39 core protections and inspection settings
Creating new threat prevention layers

None off this worked out. Beside of the 39 core protections threat prevention is not showing any logs anymore and we are pretty sure that it's currently not working.

What do we miss? Any help would be highly appreciated.

Kind regards

Oliver

Labels
0 Kudos
1 Solution

Accepted Solutions
Oliver_Matt
Contributor
‎2022-05-01 11:18 PM
Jump to solution

Solved: We've updated our Gateways to Version R81.10. IPS & TP Logs are displayed again.

View solution in original post

0 Kudos
11 Replies
_Val_
Admin
Admin
‎2022-04-21 05:23 AM
Jump to solution

Pleas raise a TAC case for this

0 Kudos
the_rock
Legend
Legend
‎2022-04-21 06:00 AM
Jump to solution

@_Val_ is right, this warrants TAC case for sure. In the meantime, cant say I ever seen this myself personally, but, can you verify that nothing changed as far as threat prevention policy? Does it look same as before?

Andy

0 Kudos
Oliver_Matt
Contributor
‎2022-04-21 06:22 AM
In response to the_rock
Jump to solution

@_Val_, @the_rock  - Thx for your quick response. We've double checked it a few time. Nothing has change on the threat prevention policy - looks exactly the same as before. We'll get in touch with TAC.

Oliver

0 Kudos
the_rock
Legend
Legend
‎2022-04-21 06:26 AM
In response to Oliver_Matt
Jump to solution

Something I would try...see if you can uninstall threat prevention policy and then install it again, or, not sure what blades are on, but maybe disable them, push policy and then re-check same blades, install policy. Are threat prevention profiles still intact?

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-04-21 07:06 AM
Jump to solution

It appears that when the log is generated by the firewall it is not correctly identifying the matching TP policy profile, what does fw stat -b AMW show when run on the firewall?  If it shows a loaded TP policy, TP is probably still working and this looks like a cosmetic log issue to me.

Verifying that TP is still working as expected is very important when tweaking and tuning the TP config, here is an excerpt from my IPS/AV/ABOT Immersion series discussing this topic that should allow you to verify TP is still working as expected:

test1.pngtest2.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Oliver_Matt
Contributor
‎2022-04-25 02:58 AM
In response to Timothy_Hall
Jump to solution

Hello Timothy,

thank you for your input - it appears that your command shows that our TP profile is loaded. We've already opened a TAC case with CP. Let's hop that it's only a cosmetic issue.

Oliver

0 Kudos
Shiran_Gold
Employee
Employee
‎2022-04-25 12:18 AM
Jump to solution

Hey Oliver,

Was a TAC SR raised?

please check your inbox, I sent you a private message
I would like to follow up with you on that issue

0 Kudos
Oliver_Matt
Contributor
‎2022-04-25 02:59 AM
In response to Shiran_Gold
Jump to solution

Hello Shiran,

I've sent you an email.

Kind regards

Oliver

0 Kudos
the_rock
Legend
Legend
‎2022-04-25 06:27 AM
In response to Oliver_Matt
Jump to solution

Please let us know how this gets resolved. Thanks very much!

Andy

0 Kudos
Oliver_Matt
Contributor
‎2022-04-27 05:12 AM
In response to the_rock
Jump to solution

Hi all,

we got told that it is only a cosmetic bug. IPS / TP is running and enforcing protections but we are not able to see the according logs. There will be a hotfix for this in the next Jumbo Hotfix which has no ETA as of now.

Well - who cares about logs? 🤔

We will upgrade our gateways to R81.10 soon and hope that this might get our logs back. Otherwise we have to wait for the next JHF.

Oliver 

0 Kudos
Oliver_Matt
Contributor
‎2022-05-01 11:18 PM
Jump to solution

Solved: We've updated our Gateways to Version R81.10. IPS & TP Logs are displayed again.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top