In This Section: |
This section covers common problems and solutions.
The Threat Extraction blade fails to extract threats from emails belonging to LDAP users
In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.
Mails with threats extracted do not reach recipients
Threat Extraction fails to extract threats from emails
Users have stopped receiving emails
scrub queues
.If the queues are flooded with requests, the Threat Extraction load is too high for the gateway.
Run: scrub bypass on
.
To reactivate, run: scrub bypass off
.
/opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p
Run:
/opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL
Emptying the queue loses the emails
Run:
/opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush
Users have no access to original attachments
Make sure users are able to access the UserCheck portal from the e-mail they get when an attachment is cleaned.
Make sure the access to original attachments
statistic is no longer zero.
Attachments are not scanned by Threat Extraction
The scanned attachment
statistic in CPView fails to increment.
On the gateway:
df –h
on the root directory of the diskdf -h
on: /var/log
Run:
touch /tmp/scrub/test
touch /var/log/jail/tmp/scrub/test
touch $FWDIR/tmp/email_tmp/test
CPView shows Threat Extraction errors
In CPview > Software-blades > Threat-extraction > File statistics
, the number for internal errors
is high compared to the total number of emails.
If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine’s fail-over mode to Block all connections.
The Threat Extraction blade continues to scan, but attachments that generate internal system errors are prevented from reaching the recipient.
Corrupted attachments cannot be cleaned, and by default generate log entries in the Logs & Monitor view. Corrupted attachments are still sent to the email recipient. To prevent corrupted attachments from reaching the recipient:
Attachments look disordered after conversion to PDF
The File Types Configuration window opens.
To check MTA connectivity on a Virtual System:
vsenv <VS #>
touch $FWDIR/conf/scrub_connectivity_results.txt
/etc/fw/scripts/scrub_cvsenvheck_connectivity.sh <mail server IP> $FWDIR/conf/scrub_connectivity_results.txt
$FWDIR/conf/scrub_connectivity_results.txt
and see the resultWhen you enable MTA with a ClusterXL deployment, make sure that the standby cluster member is also able to connect to one or more of the next hops. If not, it is possible that when there is a failover to the standby member, emails in the MTA do not go to their destination.
The Check Point MTA uses Postfix, and you can add custom user-defined Postfix options (http://www.postfix.org/postconf.5.html).
To add Postfix options:
$FWDIR/conf/mta_postfix_options.cf
Best Practice - If you are blocking SMTP traffic with the Prevent action, we recommend that you enable MTA on the Security Gateway. If you do not enable the MTA, it is possible that emails are dropped and do not reach the mail server.
IPS includes the ability to temporarily stop protections on a Security Gateway set to Prevent from blocking traffic. This is useful when troubleshooting an issue with network traffic.
To enable Detect-Only for Troubleshooting:
The gateway window opens and shows the General Properties page.
All protections set to Prevent allow traffic to pass, but continue to track threats according to the Track setting.