The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
E-mail client receives timeout error, e-mails do not reach their destinations, and SmartView Tracker shows duplicated Threat Emulation logs from a cluster
Threat Emulation, ClusterXL
R77.30 (EOL), R80, R80.10
Gaia, SecurePlatform 2.6
Platform / Model
E-mail client receives timeout error (SMTP error code "554"), and e-mails do not reach their destinations in the following scenario:
Threat Emulation blade and Mail Transfer Agent (MTA) are enabled in Cluster object.
Threat Prevention policy is set to "Prevent".
"Fail Mode" is set to to "Block all connections (Fail-close)" (Advanced - Engine Settings).
Network Policy and Threat Prevention Policy are installed.
An e-mail with benign file is sent through cluster from external client to MTA.
SmartView Tracker shows two identical Threat Emulation "Accept" logs with the same email meta data for both logs.
The file is reaching Threat Emulation twice - first time from the streaming inspection and second time from the MTA.
SmartView Tracker shows two Threat Emulation logs with the same email meta data for both logs.
- "Detect" log is sent by the streaming inspection (since the timeout of the connection was reached, and the emulation did not finish).
- "Prevent" log is sent by the MTA (the e-mail is reaching the recipient and the attachment is stripped).
SmartView Tracker shows a single Threat Emulation "Prevent" log.
The e-mail is not reaching the recipient, and the sender receives a bounce message with SMTP error code "554".
Threat Emulation policy incorrectly considers that Mail Transfer Agent (MTA) is disabled on cluster members. As a result, Check Point kernel on cluster members scans the connection, instead of ignoring it.