has MTA enabled, but it is not in the scope of any...

Bobby_Meador · ‎2017-08-10

Keep getting this on R80.10 gateways Azure and 5900 cluster same issue. Is this a BUG!!!

I have tried this and it does not work

"<Name of Security Gateway> has MTA enabled, but it is not in the scope of any of the Threat P...

PhoneBoy · ‎2017-08-10

I can see you already have a TAC issue open on this.

Just to confirm, can you post a screenshot of your Threat Prevention policy or send it to me in a PM?

Bobby_Meador · ‎2017-08-10

very basic Threat policy config and we have tried adding the cluster object to the protected scope. We originally had this MTA issue on Azure policy deployment and now it appears when pushing policy to 5900 HA cluster on R80.10 Take 24. Looks like a mgmt bug to me as we can fetch the threat prevention policy and access control policy successfully from CLI of each firewall Gateway.

This is a bridge mode deployment with only Mgmt Sync and Eth6 (direct link to Email Gateway) in Topology. So not sure we can do anything about this warning.

We have two bridges configured br1 = eth1 & eth2 br2= eth3 & eth4.

- Threat Prevention requires topology to be defined.

At least one internal, one external, and no undefined interfaces are required.

Incorrectly defined topology impacts performance and security.

Please install both Access Control and Threat Prevention policies after fixing the topology.

Gateway: Checkpoint-A

Policy: Standard

Status: Failed

- Checkpoint-A has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules.

- gen_amw_rulebase: amw_gen_mta_info() failed

- gen_amw_rulebase_tables: gen_amw_rulebase failed

- amw_load: gen_amw_rulebase_tables failed

- tp_load: amw_load() failed

- tp_load_main: Failed to load Threat Prevention policy

- Checkpoint-A has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules.

- main: Errors while loading Threat Prevention policy

- Operation was unsuccessful.

- Threat Prevention requires topology to be defined.

At least one internal, one external, and no undefined interfaces are required.

Incorrectly defined topology impacts performance and security.

Please install both Access Control and Threat Prevention policies after fixing the topology.

PhoneBoy · ‎2017-08-10

Why don't you have topology configured on your Interfaces?

Bobby_Meador · ‎2017-08-10

I do for the interfaces that appear when we select get interfaces. The bridge interfaces never appear on 5900 cluster like on my home firewall I see 0.0.0.0 on eth2 eth3. I also have a routed design which we define as external and internal on Azure. We still experience the same issue with MTA on Azure cluster.

Sent via the Samsung Galaxy S® 6 edge, an AT&T 4G LTE smartphone

PhoneBoy · ‎2017-08-10

The fact that your bridge interfaces aren't showing when you do a Get Topology doesn't sound right.

Might be worth a second ticket and/or defining the interfaces manually in the gateway object.

Thomas_Werner · ‎2017-09-06

Hi Bobby,

so you enabled MTA without having a non-bridge interface ?

Using MTA in bridge mode deplyments requires a dedicated non-bridge interface for the MTA ....

Regards Thomas

ABHISHEK_KUMAR3 · ‎2019-01-24

Hi Bobby ,

I am facing the same issue , can you please help me out with the solution for this ??

How did you resolved it or anything.

Thomas_Werner · ‎2019-01-24

Hi,

so for making MTA setup in bridge mode more "visual" I created this document:

https://community.checkpoint.com/docs/DOC-3493-using-mta-on-bridge-mode

HTH

Thomas

Are you a member of CheckMates?

has MTA enabled, but it is not in the scope of any of the Threat Prevention policy rules