Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bobby_Meador
Explorer

has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules

Keep getting this on R80.10 gateways Azure and 5900 cluster same issue. Is this a BUG!!!

I have tried this and it does not work

"<Name of Security Gateway> has MTA enabled, but it is not in the scope of any of the Threat P... 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

I can see you already have a TAC issue open on this.

Just to confirm, can you post a screenshot of your Threat Prevention policy or send it to me in a PM? 

0 Kudos
Bobby_Meador
Explorer

very basic Threat policy config and we have tried adding the cluster object to the protected scope. We originally had this MTA issue on Azure policy deployment and now it appears when pushing policy to 5900 HA cluster on R80.10 Take 24. Looks like a mgmt bug to me as we can fetch the threat prevention policy and access control policy successfully from CLI of each firewall Gateway.

This is a bridge mode deployment with only Mgmt Sync and Eth6 (direct link to Email Gateway) in Topology. So not sure we can do anything about this warning.

We have two bridges configured br1 = eth1 & eth2  br2= eth3 & eth4.

- Threat Prevention requires topology to be defined.

At least one internal, one external, and no undefined interfaces are required.

Incorrectly defined topology impacts performance and security.

Please install both Access Control and Threat Prevention policies after fixing the topology.

Gateway: Checkpoint-A

Policy: Standard

Status: Failed

- Checkpoint-A has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules.

- gen_amw_rulebase: amw_gen_mta_info() failed

- gen_amw_rulebase_tables: gen_amw_rulebase failed

- amw_load: gen_amw_rulebase_tables failed

- tp_load: amw_load() failed

- tp_load_main: Failed to load Threat Prevention policy

-  Checkpoint-A has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules.

- main: Errors while loading Threat Prevention policy

- Operation was unsuccessful.

- Threat Prevention requires topology to be defined.

At least one internal, one external, and no undefined interfaces are required.

Incorrectly defined topology impacts performance and security.

Please install both Access Control and Threat Prevention policies after fixing the topology.

0 Kudos
PhoneBoy
Admin
Admin

Why don't you have topology configured on your Interfaces?

0 Kudos
Bobby_Meador
Explorer

I do for the interfaces that appear when we select get interfaces. The bridge interfaces never appear on 5900 cluster like on my home firewall I see 0.0.0.0 on eth2 eth3. I also have a routed design which we define as external and internal on Azure. We still experience the same issue with MTA on Azure cluster.

Sent via the Samsung Galaxy S® 6 edge, an AT&T 4G LTE smartphone

0 Kudos
PhoneBoy
Admin
Admin

The fact that your bridge interfaces aren't showing when you do a Get Topology doesn't sound right.

Might be worth a second ticket and/or defining the interfaces manually in the gateway object.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi Bobby,

so you enabled MTA without having a non-bridge interface ?

Using MTA in bridge mode deplyments requires a dedicated non-bridge interface for the MTA ....


Regards Thomas

0 Kudos
ABHISHEK_KUMAR3
Explorer

Hi Bobby ,

I am facing the same issue , can you please help me out with the solution for this ?? 

How did you resolved it or anything.

0 Kudos
Thomas_Werner
Employee Alumnus
Employee Alumnus

Hi,

so for making MTA setup in bridge mode more "visual" I created this document:

https://community.checkpoint.com/docs/DOC-3493-using-mta-on-bridge-mode 

HTH

Thomas

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events