Troubleshooting - Autonomous Threat Prevention

Troubleshooting the Threat Extraction Blade

This section covers common problems and solutions.

In Global Properties > User Directory, make sure that you have selected the Use User Directory for Security Gateways option.

Step

Instructions

1

On the gateway command line interface, run:

scrub queues

If the queues are flooded with requests, the Threat ExtractionClosed Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. load is too high for the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  1. Bypass the scrub daemon.

    Run:

    scrub bypass on

  2. AskClosed UserCheck rule action that blocks traffic and files and shows a UserCheck message. The user can agree to allow the activity. affected users if they are now receiving their emails. If they are, reactivate Threat Extraction.

    To reactivate the scrub daemon, run:

    scrub bypass off

2

Make sure the queue is not full.

  1. Run:

    /opt/postfix/usr/sbin/postqueue -c /opt/postfix/etc/postfix/ -p

  2. If the queue is full, empty the queue.

    Run:

    /opt/postfix/usr/sbin/postsuper -c /opt/postfix/etc/postfix/ -d ALL

    Important - When empty the queue, you lose the emails.

  3. To prevent losing important emails, flush the queue. Flushing forcefully resends queued emails.

    Run:

    /opt/postfix/usr/sbin/postfix -c /opt/postfix/etc/postfix/ flush

3

If queues remain full, make sure that the MTA is not overloading the Security Gateway with internal requests.

The MTA should be scanning only emails from outside of the organization.

Make sure users are able to access the UserCheckClosed Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. Portal from the e-mail they get when an attachment is cleaned.

Step

Instructions

1

Click the link sent to users.

2

Make sure that the UserCheck Portal opens correctly.

3

If users are not able to access the UserCheck Portal but see the GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. portal instead, make sure that accessibility to the UserCheck Portal is correctly configured.

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., open Gateway Properties > UserCheck.

  2. Under Accessibility, click Edit.

  3. Make sure the correct option is selected according to the topology of the Security Gateway.

4

Open CPView.

Make sure the "access to original attachments" statistic is no longer zero.

The scanned attachment statistic in CPView fails to increment.

On the Security Gateway:

Step

Instructions

1

Make sure that the disk or directories on the Security Gateway are not full.

  1. Run:

    df -h /

  2. Run:

    df -h /var/log

2

Make sure directories used by Threat Extraction can be written to.

Run:

  1. touch /tmp/scrub/test

  2. touch /var/log/jail/tmp/scrub/test

  3. touch $FWDIR/tmp/email_tmp/test

In CPView, on the Software-blades > Threat-extraction > File statistics page, the number for "internal errors" is high compared to the total number of emails.

If the ThreatSpect engine is overloaded or fails while inspecting an attachment, a log is generated. By default, attachments responsible for log errors are still sent to email recipients. To prevent these attachments being sent, set the engine's fail-over mode to Block all connections.

Step

Instructions

1

Go to Manage & Settings > Blades > Threat Prevention > Advanced Settings.

2

In the Fail Mode section, select Block all connections (fail-close).

Troubleshooting IPS for a Security Gateway

IPSClosed Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). includes the ability to temporarily stop protections on a Security Gateway set to PreventClosed UserCheck rule action that blocks traffic and files and can show a UserCheck message. from blocking traffic. This is useful when troubleshooting an issue with network traffic.

Step

Instructions

1

In SmartConsole, click Gateways & Servers and double-click the Security Gateway

2

From the left tree, click IPS.

3

In the Activation Mode section, click Detect Only.

4

Click OK.

5

Install the Access Control policy.

All protections set to Prevent allow traffic to pass, but continue to track threats according to the Track setting.