Corpus Solutions

CYBERSECURITY EXPERTS
EN
☰ Menu

CORPUS SOLUTIONS SECURITY ADVISORY: CheckPoint - Problémové aktualizace IPS

20. 07. 2020

Jedná se o problémy s aktualizacemi modulu IPS systému CheckPoint. Doporučujeme dočasně deaktivovat automatické aktualizace IPS a zkontrolovat, zda se Vám nestáhnou problémové verze 634204548 či 635204548. Pokud je již máte stažené použijte prosím postup řešení níže.

Řešení:

It’s come to our attention that a recent IPS update is resulting in outages.
The problematic updates are:
634204548 or 635204548

The impact:

  • After IPS update, many drops observed (via fw ctl zdebug + drop on CLI) dropped by fwmultik_process_f2p_cookie_inner Reason: PSL Drop: TLS_PARSER

  • The following may be seen in /var/log/messages:

kernel: [fw4_4];ips_gen_dyn_log: malware_policy_global_send_log() failed High CPU utilization and traffic impact

Short term remediation:

  • Re-enable IPS on the gateway object if it was disabled as a workaround.

  • Ensure that updates are not set to automatic gateway updates. (See sk120255 for more info)

a. Open Gateway Object in SmartConsole

b. Go to IPS tab (blade must be enabled)

c. Under “IPS Update Policy” select “Use IPS management updates”

  • Revert to previous good IPS database update

a. Under the “Security Policies” tab, select Threat Prevention or IPS policy

b. Under “Threat Tools” (left hand side) select “Updates”

c. Click the arrow next to “Update Now” and select “Switch to version…”

d. Select a previous version that is not 634204548 or 635204548 and click “Switch” (note it may take some time for the previous versions to populate if there are many previous versions. Look at the top right of the dialogue box where it says “# items”)

e. Update will be pushed to gateways

f. Clear any scheduled updates from the “scheduled updates” option

  • Turn on IPS on the gateway if “IPS off” command was used to disable IPS via the CLI and test traffic.

Best practices for updates and IPS implementation:

This document (while it is specified for R80.10, it is still relevant for newer versions) contains our best practices recommendations about IPS profile implementation, and update best practices. https://sc1.checkpoint.com/documents/Best_Practices/IPS_Best_Practices/CP_R80.10_IPS_Best_Practices/html_frameset.htm Alternately, disabling TLS parsing for IPS is a secondary workaround. However, this degrades IPS protections and is therefore not the recommended path at this time. Nonetheless, if customers are experiencing severe issues, they can use this command on the gateway: fw ctl set int tls_parser_enable 0

Tip: všechny Security Advisory od Corpus Solutions můžete odebírat jako RSS kanál