Troubleshooting

Troubleshooting the Threat Extraction Blade

This section covers common problems and solutions.

Mails with threats extracted do not reach recipients

Step	Instructions
1	Make sure the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. passed the MTA connectivity test during the First Time Configuration Wizard. Disable then enable the Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blade. Complete the First Time Configuration Wizard again. Make sure the wizard passes the connectivity test.
2	Test the connection to the target MTA. Connect to the command line on the Security Gateway. Log in to the Expert mode. Connect with Telnet to port 25 of the designated Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA..

Step

Instructions

Make sure the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. passed the MTA connectivity test during the First Time Configuration Wizard.

Disable then enable the Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blade.
Complete the First Time Configuration Wizard again.
Make sure the wizard passes the connectivity test.

Test the connection to the target MTA.

Connect to the command line on the Security Gateway.
Log in to the Expert mode.
Connect with Telnet to port 25 of the designated Mail Transfer Agent Feature on a Security Gateway that intercepts SMTP traffic and forwards it to the applicable inspection component. Acronym: MTA..

Threat Extraction fails to extract threats from emails

Step	Instructions
1	Open SmartConsole > Gateway Properties > Mail Transfer Agent.
2	Make sure you selected Enable as Mail Transfer Agent.
3	Access the organizations mail relay. Configure the Threat Extraction gateway as the relay's next hop.

Users have stopped receiving emails

Step

Instructions

On the gateway command line interface, run:

scrub queues

If the queues are flooded with requests, the Threat Extraction load is too high for the Security Gateway.

Bypass the scrub daemon.

Run:

scrub bypass on

Ask UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity. affected users if they are now receiving their emails. If they are, reactivate Threat Extraction.

To reactivate the scrub daemon, run:

scrub bypass off

Make sure the queue is not full.

Run:

/opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p

If the queue is full, empty the queue.

Run:

/opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL

Important - When empty the queue, you lose the emails.

To prevent losing important emails, flush the queue. Flushing forcefully resends queued emails.

Run:

/opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush

If queues remain full, make sure that the MTA is not overloading the Security Gateway with internal requests.

The MTA should be scanning only emails from outside of the organization.

Users have no access to original attachments

Make sure users are able to access the UserCheck Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. portal from the e-mail they get when an attachment is cleaned.

Step	Instructions
1	Click the link sent to users.
2	Make sure that the UserCheck Portal opens correctly.
3	If users are not able to access the UserCheck portal but see the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. portal instead, make sure that accessibility to the UserCheck portal is correctly configured. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., open Gateway Properties > UserCheck. Under Accessibility, click Edit. Make sure the correct option is selected according to the topology of the Security Gateway.
4	Open CPView. Make sure the "`access to original attachments`" statistic is no longer zero.

Attachments are not scanned by Threat Extraction

The scanned attachment statistic in CPView fails to increment.

On the Security Gateway:

Step	Instructions
1	Make sure that the disk or directories on the Security Gateway are not full. Run: `df -h /` Run: `df -h /var/log`
2	Make sure directories used by Threat Extraction can be written to. Run: `touch /tmp/scrub/test` `touch /var/log/jail/tmp/scrub/test` `touch $FWDIR/tmp/email_tmp/test`

Step

Instructions

Make sure that the disk or directories on the Security Gateway are not full.

Run:

df -h /
Run:

df -h /var/log

Make sure directories used by Threat Extraction can be written to.

Run:

touch /tmp/scrub/test
touch /var/log/jail/tmp/scrub/test
touch $FWDIR/tmp/email_tmp/test

CPView shows Threat Extraction errors

In CPView, on the Software-blades > Threat-extraction > File statistics page, the number for "internal errors" is high compared to the total number of emails.

If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine's fail-over mode to Block all connections.

Step	Instructions
1	Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.
2	In the Fail Mode section, select Block all connections (fail-close).

The Threat Extraction blade continues to scan, but attachments that generate internal system errors are prevented from reaching the recipient.

Corrupted attachments cannot be cleaned, and by default generate log entries in the Logs & Monitor view. Corrupted attachments are still sent to the email recipient.

To prevent corrupted attachments from reaching the recipient

Step	Instructions
1	In SmartConsole, open Threat Prevention > Profiles > Profile > Threat Extraction Settings>.
2	In the Threat Extraction Exceptions area, select Block for attachments.

Attachments look disordered after conversion to PDF

Step	Instructions
1	In Security Policies > Threat Prevention > policy, right-click the Action column and select Edit.
2	In Threat Extraction > File Types, select Process specific file types and click Configure. The File Types Configuration window opens.
3	For the PDF file type, set the extraction method to Clean.

Step

Instructions

In Security Policies > Threat Prevention > policy, right-click the Action column and select Edit.

In Threat Extraction > File Types, select Process specific file types and click Configure.

The File Types Configuration window opens.

For the PDF file type, set the extraction method to Clean.

To check MTA connectivity on a VSX Virtual System

Step	Instructions
1	Connect to the command line on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0..
2	Log in to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..
3	Go to the context of the applicable Virtual System: `vsenv <VSID>`
4	Create the file `scrub_connectivity_results.txt`: `touch $FWDIR/conf/scrub_connectivity_results.txt`
5	Test the connectivity with the Mail Server: `/etc/fw/scripts/scrub_cvsenvheck_connectivity.sh <IP Address of Mail Server> $FWDIR/conf/scrub_connectivity_results.txt`
6	Analyze this file: `$FWDIR/conf/scrub_connectivity_results.txt`

Troubleshooting Threat Emulation

Using MTA with ClusterXL

When you enable MTA with a ClusterXL deployment, make sure that the standby cluster member Security Gateway that is part of a cluster. is also able to connect to one or more of the next hops. If not, it is possible that when there is a failover to the standby member, emails in the MTA do not go to their destination.

Configuring Postfix for MTA

The Check Point MTA uses Postfix, and you can add custom user-defined Postfix options.

To add Postfix options

Step	Instructions
1	Connect to the command line on the Security Gateway.
1	Create the file `mta_postfix_options.cf`: `touch $FWDIR/conf/mta_postfix_options.cf`
2	Edit the file and add the definitions.
3	Save the changes in the file and exit the editor.
4	In SmartConsole, install the Threat Prevention policy.

Problems with Email Emulation

Best Practice - If you are blocking SMTP traffic with the Prevent UserCheck rule action that blocks traffic and files and can show a UserCheck message. action, we recommend that you enable MTA on the Security Gateway (see Configuring the Security Gateway as a Mail Transfer Agent). If you do not enable the MTA, it is possible that emails are dropped and do not reach the mail server.

Troubleshooting IPS for a Security Gateway

IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). includes the ability to temporarily stop protections on a Security Gateway set to Prevent from blocking traffic. This is useful when troubleshooting an issue with network traffic.

To enable Detect-Only for Troubleshooting

Step	Instructions
1	In SmartConsole, click Gateways & Servers and double-click the Security Gateway
2	From the left tree, click IPS.
3	In the Activation Mode section, click Detect Only.
4	Click OK.
5	Install the Access Control policy. All protections set to Prevent allow traffic to pass, but continue to track threats according to the Track setting.