Troubleshooting

In This Section: Troubleshooting the Threat Extraction Blade Troubleshooting Threat Emulation Troubleshooting IPS for a Security Gateway

Troubleshooting the Threat Extraction Blade

This section covers common problems and solutions.

The Threat Extraction blade fails to extract threats from emails belonging to LDAP users

In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.

Mails with threats extracted do not reach recipients

1. Make sure the gateway passed the MTA connectivity test during the First Time Configuration Wizard.
   1. Disable then enable the Threat Extraction blade.
   2. Complete the First Time Configuration Wizard again.
   3. Make sure the wizard passes the connectivity test.
2. Test the connection to the target MTA.
   1. Open a command prompt on the gateway.
   2. Telnet to port 25 of the designated Mail Transfer Agent.

Threat Extraction fails to extract threats from emails

1. Open SmartConsole > Gateway Properties > Mail Transfer Agent.
2. Make sure you selected Enable as Mail Transfer Agent.
3. Access the organizations mail relay. Configure the Threat Extraction gateway as the relay's next hop.

Users have stopped receiving emails

1. On the gateway command line interface, run: scrub queues.

   If the queues are flooded with requests, the Threat Extraction load is too high for the gateway.

   1. Bypass the scrub daemon.

      Run: scrub bypass on.

   2. Ask affected users if they are now receiving their emails. If they are, reactivate Threat Extraction.

      To reactivate, run: scrub bypass off.

2. Make sure the queue is not full.
   1. Run:

      /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p

   2. If the queue is full, empty the queue.

      Run:

      /opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL

      Emptying the queue loses the emails

   3. To prevent losing important emails, flush the queue. Flushing forcefully resends queued emails.

      Run:

      /opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush

3. If queues remain full, make sure that the MTA is not overloading the gateway with internal requests. The MTA should be scanning only emails from outside of the organization.

Users have no access to original attachments

Make sure users are able to access the UserCheck portal from the e-mail they get when an attachment is cleaned.

1. Click the link sent to users.
2. Make sure that the UserCheck Portal opens correctly.
3. If users are not able to access the UserCheck portal but see the Gaia portal instead, make sure that accessibility to the UserCheck portal is correctly configured.
   1. In SmartConsole, open Gateway Properties > UserCheck.
   2. Under Accessibility, click Edit.
   3. Make sure the correct option is selected according to the topology of the gateway.
4. Open CPView.

   Make sure the access to original attachments statistic is no longer zero.

Attachments are not scanned by Threat Extraction

The scanned attachment statistic in CPView fails to increment.

On the gateway:

1. Make sure that the disk or directories on the gateway are not full.
   1. Run df –h on the root directory of the disk
   2. Run df -h on: /var/log
2. Make sure directories used by Threat Extraction can be written to.

   Run:

   1. touch /tmp/scrub/test
   2. touch /var/log/jail/tmp/scrub/test
   3. touch $FWDIR/tmp/email_tmp/test

CPView shows Threat Extraction errors

In CPview > Software-blades > Threat-extraction > File statistics, the number for internal errors is high compared to the total number of emails.

1. Open the Logs & Monitor view.
2. In the query search bar, enter: blade: Threat Extraction.
3. Right-click the table heading and select Edit Profile.
4. Add Threat Extraction Activity to the Selected Fields.

If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine’s fail-over mode to Block all connections.

1. Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.
2. In the Fail Mode section, select Block all connections (fail-close).

The Threat Extraction blade continues to scan, but attachments that generate internal system errors are prevented from reaching the recipient.

Corrupted attachments cannot be cleaned, and by default generate log entries in the Logs & Monitor view. Corrupted attachments are still sent to the email recipient. To prevent corrupted attachments from reaching the recipient:

1. In SmartConsole, open Threat Prevention > Profiles > Profile > Threat Extraction Settings >.
2. In the Threat Extraction Exceptions area, select Block for attachments.

Attachments look disordered after conversion to PDF

1. In Security Policies > Threat Prevention > policy, right-click the Action column and select Edit.
2. In Threat Extraction > File Types, select Process specific file types and click Configure.

   The File Types Configuration window opens.

3. For the pdf file type, set the extraction method to clean.

To check MTA connectivity on a Virtual System:

1. Open an ssh connection to the gateway.
2. Go to expert mode.
3. Run vsenv <VS #>
4. Run touch $FWDIR/conf/scrub_connectivity_results.txt
5. Run /etc/fw/scripts/scrub_cvsenvheck_connectivity.sh <mail server IP> $FWDIR/conf/scrub_connectivity_results.txt
6. Check $FWDIR/conf/scrub_connectivity_results.txt and see the result

Troubleshooting Threat Emulation

Using MTA with ClusterXL

When you enable MTA with a ClusterXL deployment, make sure that the standby cluster member is also able to connect to one or more of the next hops. If not, it is possible that when there is a failover to the standby member, emails in the MTA do not go to their destination.

Configuring Postfix for MTA

The Check Point MTA uses Postfix, and you can add custom user-defined Postfix options (http://www.postfix.org/postconf.5.html).

To add Postfix options:

1. From the Security Gateway CLI, create the file $FWDIR/conf/mta_postfix_options.cf
2. Edit the file and add the definitions.
3. Save the file.
4. Install the Threat Prevention policy.

Problems with Email Emulation

Best Practice - If you are blocking SMTP traffic with the Prevent action, we recommend that you enable MTA on the Security Gateway. If you do not enable the MTA, it is possible that emails are dropped and do not reach the mail server.

Troubleshooting IPS for a Security Gateway

IPS includes the ability to temporarily stop protections on a Security Gateway set to Prevent from blocking traffic. This is useful when troubleshooting an issue with network traffic.

To enable Detect-Only for Troubleshooting:

1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

   The gateway window opens and shows the General Properties page.

2. From the navigation tree, click IPS.
3. In the Activation Mode section, click Detect Only.
4. Click OK.
5. Install Policy.

   All protections set to Prevent allow traffic to pass, but continue to track threats according to the Track setting.