https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21617#M1664 <HTML><HEAD></HEAD><BODY><P>Yep, that will definitely do it.&nbsp;&nbsp; </P></BODY></HTML> Tue, 04 Sep 2018 14:25:35 GMT PhoneBoy 2018-09-04T14:25:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21610#M1657 <HTML><HEAD></HEAD><BODY><P>In case someone else was using SK&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100223" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100223">How to enable stripping of X-Forward-For (XFF) field</A>&nbsp;</P><P>I know that it worked perfectly OK in R70.30 and we never bothered checking it after upgrades to R80.10, just assumed it worked. Today just by pure chance I stumbled across the fact that our internal IPs are being sent out in XFF header that were supposed to be stripped out.</P><P>One thing that I noticed with R80.10 is that kernel parameter&nbsp;<STRONG>ws_remove_proxy_connection_header</STRONG> doesn't seem to work anymore&nbsp;</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69752_pastedImage_4.png" /></P><P></P><P>Anyone else&nbsp;could verify this?</P><P>SR submitted</P></BODY></HTML> Fri, 24 Aug 2018 09:43:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21610#M1657 Kaspars_Zibarts 2018-08-24T09:43:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21611#M1658 <HTML><HEAD></HEAD><BODY><P>Since the SK says it's relevant for R80.10, it's probably worth a TAC case to investigate.</P></BODY></HTML> Fri, 24 Aug 2018 11:16:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21611#M1658 PhoneBoy 2018-08-24T11:16:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21612#M1659 <HTML><HEAD></HEAD><BODY><P>The sk speaks about two procedures (depending on the IA blade) to enable this, one in Dashboard and one in GUIdbEdit. Then we find the comment: It has been observed that XFF stripping may still not function, even if all the above steps are performed correctly, when the value of kernel parameter '<STRONG><CODE>ws_remove_proxy_connection_header</CODE></STRONG>' is set to 0 (zero).</P><P></P><P>It say : May !</P></BODY></HTML> Fri, 24 Aug 2018 12:22:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21612#M1659 G_W_Albrecht 2018-08-24T12:22:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21613#M1660 <HTML><HEAD></HEAD><BODY><P>That's why I added the screenshot - it does not recognise the parameter <img id="smileysad" class="emoticon emoticon-smileysad" src="https://community.checkpoint.com/i/smilies/16x16_smiley-sad.png" alt="Smiley Sad" title="Smiley Sad" />&nbsp;we were able to set/get it in R77.30</P></BODY></HTML> Fri, 24 Aug 2018 12:25:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21613#M1660 Kaspars_Zibarts 2018-08-24T12:25:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21614#M1661 <HTML><HEAD></HEAD><BODY><P>Thus why I think a TAC case is needed to investigate.</P></BODY></HTML> Fri, 24 Aug 2018 16:47:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21614#M1661 PhoneBoy 2018-08-24T16:47:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21615#M1662 <HTML><HEAD></HEAD><BODY><P>Yep, as mentioned in original post - case lodged and all logs provided. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;Time for weekend. Hopefully it's fixed when I return on Monday morning</P></BODY></HTML> Fri, 24 Aug 2018 17:59:48 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21615#M1662 Kaspars_Zibarts 2018-08-24T17:59:48Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21616#M1663 <HTML><HEAD></HEAD><BODY><P>Hard to admit but it was proper Homer situation.. Forgot that we ad turned off AntiBot blade few months ago and you need one of medium path blades to be active for XFF removal to work</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/69991_pastedImage_1.png" /></P></BODY></HTML> Tue, 04 Sep 2018 06:09:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21616#M1663 Kaspars_Zibarts 2018-09-04T06:09:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21617#M1664 <HTML><HEAD></HEAD><BODY><P>Yep, that will definitely do it.&nbsp;&nbsp; </P></BODY></HTML> Tue, 04 Sep 2018 14:25:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21617#M1664 PhoneBoy 2018-09-04T14:25:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21618#M1665 <HTML><HEAD></HEAD><BODY><P>You meant bang myself on the head? haha yep!</P></BODY></HTML> Tue, 04 Sep 2018 15:29:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTP-XFF-header-not-being-removed-in-R80-10/m-p/21618#M1665 Kaspars_Zibarts 2018-09-04T15:29:55Z