Friday, March 11, 2011

Corruption in the Checkpoint IPS database

IPS reset procedure

1. Delete all IPS profiles except the default profiles (Default_Protection and Recommended_Protection).
2. Prepare the clean IPS files that are listed below from the same version
3. # cpstop
4. # cd $FWDIR/conf
5. Copy the provided IPS files to conf directory:
$FWDIR/conf/
inspect_logs.C
ips_db_cfg.C
sd_parser_settings.C
inspect_logs_profiles.C
ips_exceptions_table.C
sd_topic_categories.C
asm.C
inspect_streaming.C
ips_protections_override_table.C
sd_topics.C
asm_profiles.C
ips_attribute_extensions.C
ips_protections_per_profile_table.C
sd_topics.conversion
ips_attribute_extensions.C.converted
ips_signatures.C
sd_topics_table.C
default_asm.C
ips_c_s.C
ips_signatures.C.converted
inspect.C
ips_classes.C
ips_tables.sqlite
inspect.lf
ips_contexts.C
profiles.C
6. Edit the file $FWDIR/conf/asm.C, change:
need_local_update to "true"
asm_update_version_ips1 to "0"
asm_update_version_vpn1 to "0"
asm_update_version to "0"
7. Delete $FWDIR/conf/CPMILinks* and $FWDIR/conf/applications.C
8. Delete $FWDIR/conf/SMC_Files/asm/crc_marker_db.fws
9. # cpstart
10. fwm should start a process called "sduu", wait until it finish, it can take several minutes.
11. Verify that :asm_update_version_ips1, :asm_update_version_vpn1 and :asm_update_version value has changed and it's not zero now - means the silent update finished successfully.
12. Performed online update.
13. Push policy