IPS Event Analysis authentication

[mark.edwards]

Our manager has recently been upgraded to R70.2 and as a result the IPS Event Analysis package was added. However if I try to logon to the IPS Event Analysis it fails with an authentication to server failed error.

I can logon to the manager (SmartDashboard) without any problems and If I select IPS Event Analysis it also fails with the same error.
I have the necessary licenses.

I have gone through the documenatation and can't find anything relating to this.

[MrSnakey]

Quote:

Originally Posted by mark.edwards

Our manager has recently been upgraded to R70.2 and as a result the IPS Event Analysis package was added. However if I try to logon to the IPS Event Analysis it fails with an authentication to server failed error.

I can logon to the manager (SmartDashboard) without any problems and If I select IPS Event Analysis it also fails with the same error.
I have the necessary licenses.

I have gone through the documenatation and can't find anything relating to this.

You may not be licensed for it. Post your license and I'll check or if you're feeling brave, you could check yourself.

Do 'cplic print' and post the output MINUS THE IP ADDRESS AND THE SIGNATURE STRING.

If you are licensed for it then... well I don't know, I've not used it outside of *local.

[mark.edwards]

[Expert@smart1-man-ats]# cplic print

Host Expiration Features
****** never cpsm-c-50 cpsb-npm cpsb-epm cpsb-logs cpsb-mntr cpsb-udir cpsb-prvs cpsb-ipsa

[mhicks]

Greetings,

I am having the same issue you described. I am not licensed for the product, but I am using a CPMP-EVAL-1-NGX eval license.

TAC is useless on this. All they told me is that I cant run IPS Event Analysis Blade because I am in Management HA mode. I don't seem to want to believe that.

[lammbo]

Quote:

Originally Posted by mhicks

Greetings,

I am having the same issue you described. I am not licensed for the product, but I am using a CPMP-EVAL-1-NGX eval license.

TAC is useless on this. All they told me is that I cant run IPS Event Analysis Blade because I am in Management HA mode. I don't seem to want to believe that.

Say what?!? You can't run it if you're in HA MGMT? Is this a known limitation like not being able to run QoS and CoreXL at the moment? (I HOPE this is only until they fix the code)

Can someone confirm this information? I don't recall seeing this in the list of known limitations.

[mhicks]

Quote:

Originally Posted by lammbo

Say what?!? You can't run it if you're in HA MGMT? Is this a known limitation like not being able to run QoS and CoreXL at the moment? (I HOPE this is only until they fix the code)

Can someone confirm this information? I don't recall seeing this in the list of known limitations.

A simple search returned this:

R70.20 Known Limitations (https://supportcenter.checkpoint.com...onid=sk43166#4)

"00524529,
00522141 The Event Correlation, Reporting, and IPS Event Analysis Blades cannot be installed on Security Management servers in High Availability. For High Availability environments, install the Reporting, Event Correlation, or IPS Event Analysis server on a dedicated Log server."

Which is why I am asking for help.

[ShadowPeak.com]

Quote:

Originally Posted by mhicks

Greetings,

I am having the same issue you described. I am not licensed for the product, but I am using a CPMP-EVAL-1-NGX eval license.

(snip)

Just a quick note here: new R70 features like SmartWorkflow and IPS Event Analysis do not work at all under a CPMP-EVAL-1-NGX license. If you have the ability to generate a "quick eval" license in your usercenter account (or know someone who does such as your reseller) you'll need to pick this new blade-based license instead: "CPSG-P808-CPSM-PU008-EVAL - Check Point Security Bundle Eval - including SG808 and SMU008 for 30 days".

[mhicks]

Quote:

Originally Posted by ShadowPeak.com

Just a quick note here: new R70 features like SmartWorkflow and IPS Event Analysis do not work at all under a CPMP-EVAL-1-NGX license. If you have the ability to generate a "quick eval" license in your usercenter account (or know someone who does such as your reseller) you'll need to pick this new blade-based license instead: "CPSG-P808-CPSM-PU008-EVAL - Check Point Security Bundle Eval - including SG808 and SMU008 for 30 days".

Thanks, I will have my SE hook me up. By the way, I used SmartWorkflow using the CPMP-EVAL-1-NGX license on my r70.1 smart1.

[ShadowPeak.com]

Quote:

Originally Posted by mhicks

Thanks, I will have my SE hook me up. By the way, I used SmartWorkflow using the CPMP-EVAL-1-NGX license on my r70.1 smart1.

Interesting. I had a student in my CCSE R70 class invalidate his 15-day trial license and he had difficulty getting SmartWorkflow working during a lab exercise with a CPMP-EVAL-1-NGX license present. Once I installed a CPSG-P808-CPSM-PU008-EVAL license everything was golden. It might not have been a licensing issue after all; I'll definitely take a closer look if it happens again. Thanks!

[mhicks]

FYI, I installed the CPSG-P808-CPSM-PU008-EVAL Check Point Security Bundle Eval - including SG808 and SMU008 for 30 days and it still doesnt work. I still get the same authentication failed message.

[Optic]

Hi,

I was getting an authentication error until I edited the Management Server object in SmartDashboard and ticked "IPS Event Analysis" option on the Management tab.

I then had to chooce "Policy, Install Database" to apply the change.

Once I did this, the authentication error with IPS Event Analysis client went away.

Even though I can open the client I cannot get any events to appear in it. :( It all appears to be working fine only it isn't...

Cheers,
David