After upgrading the SmartCenter from R55 HFA17 to R62, we experienced a SmartDefense problem with an Edge boxes it manages.

We had to turn specific SD settings off directly on the Edge before because the proprietary software running through it got caught (Welchia, Null payload, CIFS worm).

After upgrading the SmartCenter, the settings on the Edge now report that they are remotely managed (which it did not do with the R55 SmartCenter) and these settings got turned back on, disrupting things.

I set up a specific SD profile for that Edge gateway and set things the way they were. When I push the policy, I was getting errors about the five-rule policy being too big (firmware 6.0.76) and too many HTTP worm patterns.

I used the General Configuration to set everything to Monitor Only and now I'm getting this in the Edge Reports:

07144 07Mar2007 10:08:39 Error: Failed to parse Smart Defense conf file :Max num of HTTP worm patterns reached

07143 07Mar2007 10:08:39 Error: Failed to parse Smart Defense conf file :Max num of http header patterns reached

I even deactivated these under Web Intelligence, Malicious Code, but this error is still occurring on a policy push.

Any thoughts on how to fix these issues would be appreciated.

Thanks,

Ray

Taking the firmware to 7.0.33 fixed it, but I'm still seeing drops caused by implied rules. For example, I have the SmartDefense setting for "null ICMP" set to inactive in the profile, but the rule number that I'm seeing the drop on is a negative number, which means it's an implied rule. I've got a case open with Check Point as of today.

Ray

Check the global properties and stateless settings on the firewall. These are implied rules and caused me problems.

I also disabled the smartdefense for the vpn tunnel as it caused no end of problems

Dave