Traffic is dropped by Security Gateway without a log; or dropped with IPS log when IPS blade is disabled, or when IPS protection is in 'Inactive' / 'Detect' / 'Details' state

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk98081
Technical Level
Product	IPS
Version	All
Platform / Model	All
Date Created	03-Mar-2014
Last Modified	07-Mar-2018

Symptoms

Traffic is dropped by Security Gateway in one of the following ways:
- Traffic is dropped without a log
- Although IPS blade is disabled, IPS log is still issued
In addition, there is a list of IPS protections with non-standard activation (explained below).

Cause

Security Gateway might drop traffic:

No.	IPS Protection / Feature	Behavior	General Description	Comments
1	Non Compliant CIFS	Traffic is dropped without any log	In versions lower than R77.10 and in R77.10, such drop could occur if a certain CIFSv1 command is shorter than expected. Usually, but not always, reflects a malformed message. For example, '`SMB_WRITE`' command that is only 3 bytes long. In versions lower than R77.10, drops could occur in case of multiple concurrent DCE-RPC over CIFS sessions on the same connection.	Expected Behavior: Do not drop the traffic if IPS blade is disabled. Issue a log when traffic is dropped. Contact Check Point Support to get a Hotfix for this issue.
2	SNMP, SNMP Enforcement	Traffic is dropped, and IPS log is generated	Even when IPS blade is disabled, SNMPv1 traffic and SNMPv2 traffic will be dropped, and IPS log will be generated, if user has selected '`SNMP_V3`' in the '`Protocol Type:`' field of a service (right-click on a service - select '`Edit...`' - click on '`Advanced...`' button) and installed policy.	Expected Behavior: User should not be allowed to select IPS Protocol Type for FireWall services. Planned to be fixed in future versions.
3	HTTP Inspection	Connection is terminated and IPS log is issued titled as "`General Notice`"	In versions lower than R77.10, various Software Blades can instruct HTTP parser to hold the traffic on a specific connection. When TCP timeout occurs for the hold connection, the log is always issued as IPS log, even when the IPS blade is disabled.	Expected Behavior: The Software Blade that called HTTP parser, should issue the log when necessary. The fix for this issue is included in R77.10. For versions lower than R77.10, contact Check Point Support to get a Hotfix for this issue.
4	SCCP (Skinny)	Traffic is dropped, and IPS log is generated	When the Security Gateway is configured to drop SCCP broadcast traffic, such drops are logged as IPS even when IPS blade is disabled.	Expected Behavior: FireWall log should be issued, if IPS blade is disabled. Contact Check Point Support to get a Hotfix for this issue.
5	SIP	Traffic is dropped, and IPS log is generated	SmartView Tracker logs show that SIP packets are dropped by IPS: `Product: IPS Protocol: udp Attack: Malformed SIP datagram Attack Information: Invalid or no 'CSEQ' field`	Expected Behavior: FireWall log should be issued, if IPS blade is disabled. For more information, refer to sk57060. Contact Check Point Support to get a Hotfix for this issue.

IPS protections with non-standard activation:

Most of the IPS protections can be configured to be Inactive, to run in Detect mode, or to run in Prevent mode.

There are IPS protections that have to be configured in a different way and cannot be switched between various activation modes in a regular way (each category is elaborated below):

Protections with "Details" action only.
Example:
Protections that should be manually set to run in "Detect" mode and cannot be set to run in "Inactive" mode.
Protections that can be configured and set to run in desired activation mode, through advanced protection dialog only.

The following table summarizes IPS protections with "Details" action only:

No.	IPS Protection	Might drop traffic?	Scenario
1	SIP - General Settings	Yes	Configurable to block dynamic ports on different services, timeout, NAT, etc.
2	H.323 - General Settings	Yes	Configurable to timeout, Dynamic Pinholing, Dynamic connection opening, etc.
3	MGCP - General Settings	Yes	Allow / Disallow certain commands.
4	SCCP - General Settings	Yes	Configurable to block dynamic port opening for media channels.
5	Syslog Relay Server List	No	Controls behavior of other features, such as: Malicious code protector for syslog.
6	IP Fragments	Yes	Configurable to drop incomplete packets after N seconds.
7	Fingerprint Scrambling - General Settings	No	Actively change the packet according to configuration.
8	Mail Global Protection Scope	No	Configure the scope of the protection.
9	SMTP Content	Yes	Configurable maximum of allowed bad commands. Only for R65 version and earlier.
10	Mail and Recipient Content	No	Actively change the packet according to configuration.
11	FTP Security Server - General Settings	No	Configure the scope of the protection.
12	Microsoft Networks - General Settings	Yes	Configurable to strict correctness and scope of the protection. Only for R65 version and earlier.
13	Peer to Peer - Global Exclusion Settings	No	Controls behavior of other features. Only for R65 version and earlier.
14	Instant Messengers - Global Exclusion Settings	No	Controls behavior of other features. Only for R65 version and earlier.
15	MSN Messenger - General Settings	No	Controls behavior of other features. Only for R65 version and earlier.
16	DNS - General Settings	No	Controls behavior of other features.
17	VoIP Denial of Service	Yes	Enable / Disable protection and configure the amount of calls allowed per minute.
18	H. 323	Yes	Drop H.323 calls that do not start with a '`SETUP`' message.
19	SIP Protections	Yes	Verify SIP header content. Blocks Non-compliant SIP Traffic.
20	SIP Custom Properties	Yes	Various configuration properties.
21	SIP Filtering	Yes	Application filtering - Video / Audio instant messaging, etc.
22	MGCP	Yes	Allow / Disallow commands.
23	SCCP (Skinny)	Yes	Configurable parameters to drop/reject the traffic.
24	HTTP Protocol - General Settings	No	Affects behavior of other legacy Web Intelligence protections.
25	Gzip Enforcement	Yes	Configurable parameters.

The following list summarizes IPS protections that should be manually set to run in "Detect" mode and cannot be set to run in "Inactive" mode:

The following Security Gateway protections enforce essential sanity assumptions for protocol parsers.
By design, these protections continue to block traffic even if IPS blade is disabled, as long as one of the Software Blades that require the parser is enabled, and these protections will generate Firewall logs.
If you set the IPS profile to run in "Detect" mode, these protections remain in "Prevent" mode. User can manually set these protections to run in "Detect" mode.

Note: It is highly recommended to keep these protections in "Prevent" mode. Otherwise, data inspection by Security Gateway might become insecure.

Stream Inspection Timeout
TCP Invalid Checksum
TCP Invalid Retransmission
TCP Out of Sequence
TCP Segment Limit Enforcement
TCP SYN Modified Retransmission
TCP Urgent Data Enforcement

The following list summarizes IPS protections that can be configured and set to run in desired activation mode, through advanced protection dialog only:

Dynamic Ports
Host Port Scan
SNMP
Sweep Scan

To change the settings of these protections, double-click on the protection to open the advanced configuration dialog.

Solution

Note: To view this solution you need to Sign In .