[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] SAM configuration - CheckPoint NG



I have ISS support working on this, but I haven't heard from them in like
two days, so who knows what's going on.

 

I have the following problem.

I have exchanged keys using opsec_putkey, fw putkey, and the IDS sensor and
the SmartCenter appear to talk properly, no errors.

 

However, when I configure a rule to utilize OPSEC and to notify -> block
service.  I see the following in my /var/log/messages.

 

May 21 17:47:51 ids_1 ISS[4125]: (network_sensor_1) - send_sam_action( 4, 4,
FW_Cluster, 32, 60, 0x0, 0x0, 0, 6 )

 

On my firewall I see SAM request, notify, src=0.0.0.0 dst=0.0.0.0 srv=0,
which means any,any,any.  Why isn't the IDS sending over the particular
source/destination/service?

 

Is there a flag somewhere, or something I need to change?

 

I also read the SAM configuration guide, no help.  I also found another
document that suggested that you need 4.1 backward compatability installed,
however, I don't really think this is necessary, since the IDS and FW are
communicating, it's just that the IDS is not sending the appropriate
information.

 

Thanks,

 

Derek O'Flynn

Enterprise Information Security

LSU Health Sciences Center

doflyn@xxxxxxxxxx <mailto:doflyn@xxxxxxxxxx>  (504)568-6130

 

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.