Support Center > Search Results > SecureKnowledge Details
Traffic is dropped by Security Gateway without a log; or dropped with IPS log when IPS blade is disabled, or when IPS protection is in 'Inactive' / 'Detect' / 'Details' state Technical Level
Symptoms
  • Traffic is dropped by Security Gateway in one of the following ways:

    • Traffic is dropped without a log
    • Although IPS blade is disabled, IPS log is still issued


  • In addition, there is a list of IPS protections with non-standard activation (explained below).
Cause

Security Gateway might drop traffic:

No. IPS Protection /
Feature
Behavior General Description Comments
1 Non Compliant CIFS Traffic is dropped without any log In versions lower than R77.10 and in R77.10, such drop could occur if a certain CIFSv1 command is shorter than expected. Usually, but not always, reflects a malformed message. For example, 'SMB_WRITE' command that is only 3 bytes long.

In versions lower than R77.10, drops could occur in case of multiple concurrent DCE-RPC over CIFS sessions on the same connection.
Expected Behavior:
  • Do not drop the traffic if IPS blade is disabled.
  • Issue a log when traffic is dropped.
Contact Check Point Support to get a Hotfix for this issue.
2 SNMP,
SNMP Enforcement
Traffic is dropped, and IPS log is generated Even when IPS blade is disabled, SNMPv1 traffic and SNMPv2 traffic will be dropped, and IPS log will be generated, if user has selected 'SNMP_V3' in the 'Protocol Type:' field of a service (right-click on a service - select 'Edit...' - click on 'Advanced...' button) and installed policy. Expected Behavior:
  • User should not be allowed to select IPS Protocol Type for FireWall services.
Planned to be fixed in future versions.
3 HTTP Inspection Connection is terminated and IPS log is issued titled as "General Notice" In versions lower than R77.10, various Software Blades can instruct HTTP parser to hold the traffic on a specific connection. When TCP timeout occurs for the hold connection, the log is always issued as IPS log, even when the IPS blade is disabled. Expected Behavior:
  • The Software Blade that called HTTP parser, should issue the log when necessary.
The fix for this issue is included in R77.10.

For versions lower than R77.10, contact Check Point Support to get a Hotfix for this issue.
4 SCCP (Skinny) Traffic is dropped, and IPS log is generated When the Security Gateway is configured to drop SCCP broadcast traffic, such drops are logged as IPS even when IPS blade is disabled. Expected Behavior:
  • FireWall log should be issued, if IPS blade is disabled.
Contact Check Point Support to get a Hotfix for this issue.
5 SIP Traffic is dropped, and IPS log is generated

SmartView Tracker logs show that SIP packets are dropped by IPS:

Product: IPS
Protocol: udp
Attack: Malformed SIP datagram
Attack Information: Invalid or no 'CSEQ' field
Expected Behavior:
  • FireWall log should be issued, if IPS blade is disabled.
For more information, refer to sk57060.
Contact Check Point Support to get a Hotfix for this issue.

 

IPS protections with non-standard activation:

Most of the IPS protections can be configured to be Inactive, to run in Detect mode, or to run in Prevent mode.

There are IPS protections that have to be configured in a different way and cannot be switched between various activation modes in a regular way (each category is elaborated below):

  1. Protections with "Details" action only.

    Example:


  2. Protections that should be manually set to run in "Detect" mode and cannot be set to run in "Inactive" mode.

  3. Protections that can be configured and set to run in desired activation mode, through advanced protection dialog only.

 

The following table summarizes IPS protections with "Details" action only:

No. IPS Protection Might drop traffic? Scenario
1 SIP - General Settings Yes Configurable to block dynamic ports on different services, timeout, NAT, etc.
2 H.323 - General Settings Yes Configurable to timeout, Dynamic Pinholing, Dynamic connection opening, etc.
3 MGCP - General Settings Yes Allow / Disallow certain commands.
4 SCCP - General Settings Yes Configurable to block dynamic port opening for media channels.
5 Syslog Relay Server List No Controls behavior of other features, such as: Malicious code protector for syslog.
6 IP Fragments Yes Configurable to drop incomplete packets after N seconds.
7 Fingerprint Scrambling - General Settings No Actively change the packet according to configuration.
8 Mail Global Protection Scope No Configure the scope of the protection.
9 SMTP Content Yes Configurable maximum of allowed bad commands. Only for R65 version and earlier.
10 Mail and Recipient Content No Actively change the packet according to configuration.
11 FTP Security Server - General Settings No Configure the scope of the protection.
12 Microsoft Networks - General Settings Yes Configurable to strict correctness and scope of the protection. Only for R65 version and earlier.
13 Peer to Peer - Global Exclusion Settings No Controls behavior of other features. Only for R65 version and earlier.
14 Instant Messengers - Global Exclusion Settings No Controls behavior of other features. Only for R65 version and earlier.
15 MSN Messenger - General Settings No Controls behavior of other features. Only for R65 version and earlier.
16 DNS - General Settings No Controls behavior of other features.
17 VoIP Denial of Service Yes Enable / Disable protection and configure the amount of calls allowed per minute.
18 H. 323 Yes Drop H.323 calls that do not start with a 'SETUP' message.
19 SIP Protections Yes Verify SIP header content. Blocks Non-compliant SIP Traffic.
20 SIP Custom Properties Yes Various configuration properties.
21 SIP Filtering Yes Application filtering - Video / Audio instant messaging, etc.
22 MGCP Yes Allow / Disallow commands.
23 SCCP (Skinny) Yes Configurable parameters to drop/reject the traffic.
24 HTTP Protocol - General Settings No Affects behavior of other legacy Web Intelligence protections.
25 Gzip Enforcement Yes Configurable parameters.

 

The following list summarizes IPS protections that should be manually set to run in "Detect" mode and cannot be set to run in "Inactive" mode:

The following Security Gateway protections enforce essential sanity assumptions for protocol parsers.
By design, these protections continue to block traffic even if IPS blade is disabled, as long as one of the Software Blades that require the parser is enabled, and these protections will generate Firewall logs.
If you set the IPS profile to run in "Detect" mode, these protections remain in "Prevent" mode. User can manually set these protections to run in "Detect" mode.

Note: It is highly recommended to keep these protections in "Prevent" mode. Otherwise, data inspection by Security Gateway might become insecure.

  • Stream Inspection Timeout
  • TCP Invalid Checksum
  • TCP Invalid Retransmission
  • TCP Out of Sequence
  • TCP Segment Limit Enforcement
  • TCP SYN Modified Retransmission
  • TCP Urgent Data Enforcement

 

The following list summarizes IPS protections that can be configured and set to run in desired activation mode, through advanced protection dialog only:

  • Dynamic Ports
  • Host Port Scan
  • SNMP
  • Sweep Scan

To change the settings of these protections, double-click on the protection to open the advanced configuration dialog.


Solution
Note: To view this solution you need to Sign In .