topic Re: Enabling web server security in Firewall and Security Management

Enabling web server security

KandarpDesai — Wed, 24 Apr 2019 15:42:23 GMT

Hi guys,
I have a checkpoint firewall with ngtx. I want to enable web security for my web servers (sql injection, cross site scripting etc.). I did this by creating a host of web server and enabled the protections.

Is that all or do I need to add something else somehwere too. In the guide it mentions the following "Enforcement of these protections are dependent on IPS profile" What does that mean?

Also how can I test that these protections are working via some testing method?

Re: Enabling web server security

PhoneBoy — Wed, 24 Apr 2019 16:25:34 GMT

Protections can be enabled/disabled in your IPS profile and/or your Threat Prevention policy, depending on management and gateway version.
It would be helpful if you specified the exact steps you followed and provided some screenshots of exactly what you did.
Also, anytime you make changes to IPS, you need to push the Threat Prevention policy (Access Policy for R77.x Gateways).

As far as testing some of these protections, you can use a tool like Burp Suite.

Re: Enabling web server security

KandarpDesai — Wed, 24 Apr 2019 17:13:17 GMT

Hi Phoneboy,

Thanks for suggesting BurpSuite, I have applied for a trial.

As for the steps, I did the following

- Created a new host
- Clicked on Servers>Web server>Protections
- Protections were enabled already.
- Pushed the Threat Policy ( exisiting Policy is Scope=Any and Action=Optimized )

Re: Enabling web server security

KandarpDesai — Fri, 26 Apr 2019 06:25:46 GMT

Hi Guys,

Kindly help me to know if this is correct. Appreciate the help.

Re: Enabling web server security

PhoneBoy — Fri, 26 Apr 2019 17:03:09 GMT

What does your Threat Prevention rulebase look like?

Re: Enabling web server security

Cyber_Serge — Fri, 26 Apr 2019 17:31:19 GMT

I am curious about this as well. I thought we just need to configure the Profile protection and it will apply; This looks very specific to web server; do we need to configure all the web server object this way?

Re: Enabling web server security

Wolfgang — Fri, 26 Apr 2019 18:43:56 GMT

Frank_Yao1,

to enable the Webserver-protections you have to enable the servertype Webserver and the protections on all your webservers host objects.

Wolfgang

Re: Enabling web server security

KandarpDesai — Fri, 26 Apr 2019 18:45:39 GMT

Dear PB,
My threat policy is "ANY" and "OPTIMIZED"

Re: Enabling web server security

KandarpDesai — Fri, 26 Apr 2019 18:55:52 GMT

Dear Wolfgang,

I want to confirm if my config is right or not.

Re: Enabling web server security

PhoneBoy — Mon, 29 Apr 2019 17:17:53 GMT

This was required pre-R80.x, but I don't believe this is no longer required.

Re: Enabling web server security

PhoneBoy — Mon, 29 Apr 2019 17:19:03 GMT

Your configuration is correct (assuming gateway is R80.x).

Re: Enabling web server security

Vladimir — Mon, 29 Apr 2019 17:46:34 GMT

@PhoneBoy , please clarify:

Are we still required to configure the Web Server objects and their protections individually, or is the "Optimized" profile taking care of that irrespective to the target server?

Thank you,

Vladimir

P.S. It is really difficult to track which response is relevant to which thread in the forum unless person is mentioned by name and the excerpt from their post is included in the reply.

Re: Enabling web server security

Wolfgang — Mon, 29 Apr 2019 18:14:58 GMT

@Vladimir and @PhoneBoy

I follow Vladimir, there should be a statement for the web security configuration.

I think it is too needed in R80.xx, there are no protections like „SQL injections, cross site scripting, etc. „ in the normal IPS protections.

Dameon, please can you clarify if needed or not.

Wolfgang

Re: Enabling web server security

Wolfgang — Mon, 29 Apr 2019 18:15:58 GMT

Yes Kandarp, you config looks good.

Wolfgang

Re: Enabling web server security

PhoneBoy — Mon, 29 Apr 2019 20:20:04 GMT

I'm checking this, but I don't believe it's required.

Re: Enabling web server security

PhoneBoy — Mon, 29 Apr 2019 21:37:53 GMT

Checking on all of it 🙂
And yes, I'm aware we need to add indents in threads, but that's turning out to be a bigger problem to solve than it should be.

Re: Enabling web server security

Lari_Luoma — Tue, 30 Apr 2019 00:07:18 GMT

Hi!

There two types of protections (or actually three if you count also inspection settings):

Threat Cloud Protections that are the actual IPS Protections updated from Check Point Threat Cloud. These protections are installed with the Threat Prevention Policy.

Core Protections are protections that require IPS blade, but are there by default (there are 39 of them or so). These protections are installed with the Access Control Policy.

Core Protections are assigned directly to the gateways with their profile. You can then select whether you want this specific protection to be assigned to a selected web server or not (if it's a web server related protection). If you know your web servers and have configured them, make sure "Apply to Selected Web Servers" is selected. Otherwise select "Apply to all HTTP Traffic". By clicking View you can view the web servers that you have configured in the host object as a web server.

Re: Enabling web server security

Lari_Luoma — Tue, 30 Apr 2019 00:20:28 GMT

Yes you are still required to do that. Those protections have moved to so called core protections that are installed with Access Control Policy. See my full response to this thread.

EDIT: I thought this response would have shown under Vladimir's question. Hmmm...

Re: Enabling web server security

Vladimir — Tue, 30 Apr 2019 01:25:55 GMT

@Lari_Luoma , how on earth did you get to see the screen from your post above 🙂 ?

I am pocking in both, R80.20 and R80.30 in Core Protections and all I am seeing is:

and when editing the selected "HTTP Header Patterns", I am seeing:

Which, IMHO, got to mean that the entire scope is protected and that there is no need to cherry-pick the Web Servers.

Am I looking at this wrong?

Re: Enabling web server security

Lari_Luoma — Tue, 30 Apr 2019 04:05:24 GMT

Hi Vladimir,

1. Open a Core Protection

2. In General Tab double click a profile (e.g. Optimized)

3. Go to Advanced Tab