This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Roy_Smith
Collaborator
‎2020-01-09 06:22 AM

What does "couldn't start inspection" mean?

Hi

In our logs, I see the message shown in the attached image. SSL Inspection blade is running and working, as I see other events with an HTTPS inspection status of inspect and bypass. What does "Internal system error in HTTPS Inspection (Couldn't start inspection)" really mean?

I think we always had these log entries but they seem to have increased considerably over the past few weeks from approx. 20K to over 300K per day. I'm still trying track down what, if anything, changed when this increase first started but I'm curious about the message in the screenshot. If anyone has any ideas that would be great. 

Many Thanks
Roy

 

Preview file
27 KB
2 Replies
PhoneBoy
Admin
Admin
‎2020-01-09 06:42 AM

What version of code?
It could be that the gateway is encountering unsupported ciphers or a client certificate.
In which case it will fail open/closed depending on the relevant setting.
0 Kudos
Roy_Smith
Collaborator
‎2020-01-10 02:09 AM
In response to PhoneBoy

We are running VSX R80.10 Take189. We are due to upgrade to R80.30 at the end of February. 

I had actually wondered about cipher suites, as I know R80.10 does not have the same support as R80.30.  I don't suppose you can find out what ciphers are being negotiated during the session?

Yesterday, I changed to fail-open in app control, although it did not appear to make much difference but will monitor it today.

What is strange, is that the spike appears at the same time each day this week and lasts for 1-2 hours.  It does not seem to be related to a specific site or even a small number of sites as I have seen the logs generated for over 100 different applications.

Thanks
Roy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events