2 Replies Latest reply on Sep 22, 2014 7:54 AM by rcavey

    Check Point - Autolearn rules triggering instead of Check Point ASP

    japie

      Hi Folks

       

      Service Request Number - 4-5810042643

       

      We currently have the check point UTM solution R76 management station feeding into McAfee SIEM.

      There are about 40 firewall nodes and IPS blades feeding into the management station which all feeds back into SIEM.

       

      McAfee SIEM comes with 7 standard Check Point ASP rules which seems to parse out the data correctly when running it through the correlation editor, however the various rules are being autolearn and it overwrites this process where the Check Point ASP rule 7 needs to parse the specific IPS feed data.

       

      The rule_name value in the log was attributed to the Signature_Name field assignment in the event drill down. This should have held the value of the sig_desc field of the log.

      We have had this call open with McAfee for 2 months now and still an ongoing issue. We have deleted all the autolearn rules but they just autolearn. The engineer working the case said that with version 9.3.2 (we are on the latest hotfix) you can disable the autolearn rules per device.

       

      Anyone experiencing the same issue? Anyone with a possible solution?

       

      Thanks,

      Japie