Moved provisionally to Next Generation Firewall for better handling.
Read timeout means that there were connectivity issues between SMC and IPS engine. Management communication uses TCP port 4987 so make sure that there's no other devices between the two that would be blocking TCP 4987 connection from management server to IPS.
If read timeout happens at about 75 - 80 % of policy installation process, the issue is almost certainly that IPS does policy rollback after new configuration installed from SMC is taken into use. By default policy installation is done with policy handshake enabled which means that after new configuration gets applied, if NGFW engine doesn't get TCP 4987 packets from management server during policy handshake timeout period (by default 60 seconds), policy rollback to previous configuration will be done as new configuration has likely prevented management connection between SMC and engine. If this happens during initial policy installation, most common reason is that routing for (IPS) engine has not been configured properly. So if SMC and IPS are not in same subnet, please make sure that you have configured routing for IPS in SMC routing view to include route that IPS cna use to send packets to SMC server IP address.
Other possible reasons for initial policy rollback could be that NAT is done between SMC and NGFW engine, and locations and contact addresses are not configured properly. Thus management connection is either attempted to be opened to wrong (private) IP over the Internet or NGFW engine policy refers SMC private IP, while it should refer NAT IP to which management server IP is NATed to.
Thank you Tero,
The problem is resolved after adding a default route for IPS.
But after installing the Policy ( Default IPS Policy) on StoneGate IPS 3202, site users have lost access to the internet, access to the servers, ... the site was completely isolated, all traffic that passes through the IPS was blocked !
Internal Users --> IPS --> Firewalls --> Internet and the access to the siege servers.
- Configuration :
1 interface : Management
2 interface : Inline
2 interface : Inline
the screenshots: Dropbox - IPS captures.rar
- Log :
I have not found the source of this problem in log files !
NB: To break the situation we have set the IPS offline.
Any Idea please, we are currently blocked.
Please open ticket to McAfee support as this issue requires getting data (sginfo, log export and traffic captures) from the device, and analyzing the data to see what is causing this.