Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend

Searching for IPS protections via ssh

Hey guys,

Figured would share this in case anyone encounters the same problem. So had issue with customer where certain parts of sites on Azure were not coming up when testing from on prem and we ran debug and discovered it was related to IPS, but had hard time finding out the protection in question. So I saw there is a command you can runvia expert mode if you have xeha-decimal value for protection (which we did from the drops) and once we got the protection name, was easy to fix the problem.

[Expert@quantum-firewall:0]# ips

Usage:
ips stat # Display IPS status
ips on|off # Enable\Disable IPS
ips bypass stat # Display Bypass Under Load status
ips bypass on|off # Enable\Disable bypass mode
ips bypass set cpu|mem low|high <th> # Set bypass thresholds
ips debug [-e filter] -o <outfile> # Get IPS debugs
ips refreshcap # Refresh the sample capture repository
ips stats [<ip_address> -m] [-g <seconds>] [<ip_address> <seconds>] [-h]
# Print IPS performance and PM statistics
ips protection <protection_id (hex)> # Display protection name

Note: IPS CLI configuration is temporary - it will be overridden by the next
policy installation or boot
[Expert@quantum-firewall:0]# ips protection 0x82e5656a
Web Servers Malicious URL Directory Traversal
[Expert@quantum-firewall:0]#

I would say since we saw lots of errors first packet isnt SYN and customer proved this worked fine when NOT traversing the CP cluster, I would say, if you ever see that message, always check threat prevention blades, specially IPS, apart from obvious "culprits"...routing, NAT, sxl : - )

Cheers,

Andy

(1)
Who rated this post