https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218498#M54158 <P>Hi Mates,</P> <P>how can I check why this Debian APT download is blocked via IPS?</P> <P>I only have this with two clients. Others have no issue.</P> <DIV id="tinyMceEditorD_W_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26403i42D32F8E4E6E45C8/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Cheers,<BR />David</P> Mon, 24 Jun 2024 14:56:34 GMT D_W 2024-06-24T14:56:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218498#M54158 <P>Hi Mates,</P> <P>how can I check why this Debian APT download is blocked via IPS?</P> <P>I only have this with two clients. Others have no issue.</P> <DIV id="tinyMceEditorD_W_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26403i42D32F8E4E6E45C8/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Cheers,<BR />David</P> Mon, 24 Jun 2024 14:56:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218498#M54158 D_W 2024-06-24T14:56:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218521#M54159 <P>Probably it's best to investigate with TAC</P> Mon, 24 Jun 2024 16:42:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218521#M54159 _Val_ 2024-06-24T16:42:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218523#M54160 <P>Hey David,</P> <P>Couple of questions:</P> <P>1) What IPS profile is used in TP policy?</P> <P>2) Considering this is critical, I assume thats why its blocked...have you tried adding an IPS exception if you know its 100% legit?</P> <P>Andy</P> Mon, 24 Jun 2024 16:49:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218523#M54160 the_rock 2024-06-24T16:49:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218596#M54161 <P>1) Custom Policy</P> <P>2) when I let them proxy the traffic via our squid proxy then the IPS is allowing this traffic. Also other Linux Servers downloading these packages have no issue. Only two specific Linux Systems that run this apt-get command via Docker Container have this issue.<BR /><BR />I will&nbsp; go ahead with the TAC <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 25 Jun 2024 09:53:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218596#M54161 D_W 2024-06-25T09:53:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218710#M54162 <P>Indeed this will be a TAC case. Reason I think why it works via proxy is because then the proxy will set up the connection and will download the packages.&nbsp;</P> <P>Best is to make a packet capture on the gateway and if possible on client. The packet capture in the logs is sometimes not enough for TAC.&nbsp;</P> <P>You can try without but i think it makes life more easy for the TAC engineer.&nbsp;</P> <P>You are lucky it is HTTP, if it is HTTPS we needed to share a decrypted packet capture for TAC.&nbsp;</P> Tue, 25 Jun 2024 21:25:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPS-Block-HTTP-Non-Compliant/m-p/218710#M54162 Lesley 2024-06-25T21:25:07Z