"TCP Out of Sequence" log is missing in Smart Tracker or Smart Event.
"TCP Segment Limit Enforcement" log is missing in Smart Tracker or Smart Event.
"TCP SYN Modified Retransmission" log is missing in SmartView Tracker or Smart Event.
"TCP Invalid Retransmission" log is missing in SmartView Tracker or Smart Event.
"TCP Invalid Checksum" log is missing in SmartView Tracker or SmartEvent.
"Streaming Engine: Potential network configuration problem detected" log.
Logs for the 5 IPS protections described above are usually an indication of a network configuration problem, and not of an actual attack.
In some environments, these IPS protections produce a large amount of logs, which might prevent processing of other important events.
Therefore, staring from R75.40 release, the logs can be aggregated into one log with the title "Potential network configuration problem", produced once per hour (see "Solution" section for more details).
Code was improved:
In order to enhance the user experience and reduce the load on monitoring the logs from the IPS blade, Check Point has performed several changes in the way the logs for these 5 IPS protections are produced.
By default, the logs for these IPS protections were produced as before, but were not displayed in the SmartView Tracker or SmartEvent. Instead, once per hour, a log with the title "Potential network configuration problem" is produced. The log will summarize the past hours event (aggregation of the 5 different IPS protections).
If the administrator wished to see the specific logs, these logs can be displayed in R70.30 and below SmartView Tracker by simply removing the filter "Engine Settings - TCP" from the "Protection Type" field:
In R80 and above SmartLog, the specific logs can be viewed by adding the search filter "Engine Settings - TCP":
In addition (and not by default), the administrator can control the generation of the 5 logs in subject at the PSL level by changing the value of the kernel parameter fwpslglue_log_ctrl on the Security Gateway:
Value of kernel parameter
Generation of the logs
Print all logs from these IPS protections (default value; as in previous versions)
Print a log from these IPS protections once per connection/window (default value in Monitor / Mirror / TAP / SPAN mode)
The logs will be printed in the following way:
Log from IPS protection 'TCP Out of Sequence' will be printed once per window per connection
Log from IPS protection 'TCP Segment Limit Enforcement' will be printed once per window per connection
Log from IPS protection 'TCP SYN Modified Retransmission' will be printed once per connection
Log from IPS protection 'TCP Invalid Retransmission' will be printed once per connection
Log from IPS protection 'TCP Invalid Checksum' will be printed once per connection
For supported versions of Security Gateway, contact Check Point Support to get a required Hotfix that adds the kernel parameter fwpslglue_log_ctrl. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification, please collect CPInfo files from the Security Management Server and Security Gateways involved in the case.