Good morning,
I've been having issues where ill get an email from the dashboard saying that something has been blocked by our MX, when i click the link and it brings me to the security center it always says no events, regardless of the filter timeline.
I currently have an open case but its been open for months now with no change. Anybody else seeing this or herd of what is being done to fix it?
Regards,
Dylan.
Solved! Go to solution.
Hey Dylan,
This is a known issue and currently under investigation.
In the mean time you could try cloning the network, and moving the MX into the cloned network. (Just to see if moving into a new network kickstarts it.)
Feel free to go to Eicar and download the test file to make sure you're triggering the AMP engine.
Thanks!
It you just look at the security centre normally, and go to events to do see anything?
What version software are you running on your MX?
Have you tried turning the threat protection settings off and back on?
@PhilipDAth yeah, even if i go via the normal route everything is still blank. Im currently running the stable 13.28, and i do get the emails so i believe it to be working just not showing in the dashboard for some reason. I haven't tried turning the threat protection off and on, maybe?
@Dylan_YYC have you tried selecting Unknown and Clean dispositions using the Filter at the top of the Security Center?
@davidvan i have, it will show things then but not the event that triggered me to get the alert email. i still have no idea what event caused me to get that.
Silly question but you verified that Security Appliance>Threat Protections are enabled right? If both disabled it'll show up blank.
@Adam at this point there is no silly questions! Yes, it is enabled and has been since deployment.
I'm good at silly questions @Dylan_YYC
Have you checked your MX routing? At one of our sites we were routing all of our traffic via 0.0.0.0 to a private MPLS connection on one of the LAN ports instead of going out the WAN port and this caused there to be nothing in security center since it wasn't traversing the WAN interface. Other than that, it should be working.
That's a good idea @Adam, however we don't have that and if our routing were to change to something on the LAN we would be in major trouble. i did double check and its still using the default route to the WAN interface. At this point im at a bit of a loss!
Well strange, at this point I'd try an after hours reboot of the MX if you haven't done that. Then I'd try to simulate some security traffic that should show up to diagnose further.
Hey Dylan,
This is a known issue and currently under investigation.
In the mean time you could try cloning the network, and moving the MX into the cloned network. (Just to see if moving into a new network kickstarts it.)
Feel free to go to Eicar and download the test file to make sure you're triggering the AMP engine.
Thanks!
Hey @RyanB
Thanks for the follow up. As far as i can tell AMP is working well as i have used that test file recently and was unable to download it. What troubles me is this has been an ongoing issue for our site for months now, is there any indication on a resolution time?
Regards,
Dylan.
Was this ever resolved? We may be seeing something similar... 6 years later