topic Re: Fail Mode in Threat Prevention settings - good idea to change to fail-close? in General Topics

Fail Mode in Threat Prevention settings - good idea to change to fail-close?

Parabol — Tue, 18 Jul 2023 10:00:28 GMT

Hi all,

I noticed in our IPS logs many "Accept" events, from Internet traffic accessing our DMZ systems. Opening the logs, in forensic details it shows:

"HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings."

And the precise error as:

"illegal startline in request"

I do not totally understand this error, and whether it should be a cause for concern. To me it sounds like the firewall couldn't properly inspect the traffic and so defaults to accept? But as I understand, it "Accepts" this due to the fail mode being set to "Fail-open" as is default. (Setting found in: Manage & settings --> Blades --> Threat Prevention --> Advanced Settings)

Is it a better practice to change this to Fail-close, would this prevent traffic like above instead of accepting? Is there a log filter to identify exactly what traffic this would block?

I appreciate any feedback you can offer, maybe some of you guys have changed to Fail-close and know of any risk?

Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

To me this sounds like it could be a security risk, if threat prevention was to allow all traffic in the event of overload/failure.

Re: Fail Mode in Threat Prevention settings - good idea to change to fail-close?

Chris_Atkinson — Tue, 18 Jul 2023 12:52:14 GMT

A previous similar discussion was had here:

https://community.checkpoint.com/t5/Threat-Prevention/IPS-Connection-accepted-But-why/td-p/136294

Yes fail-close is more secure.

Which gateway version and hotfix is used, if it's already current I would follow-up with TAC to investigate further.

Re: Fail Mode in Threat Prevention settings - good idea to change to fail-close?

Parabol — Tue, 18 Jul 2023 14:18:24 GMT

Thanks Chris, we are running R81.10 soon to be R81.20.

I suppose any traffic currently accepted by this will have the message included in it's log:

Bypassing the request as defined in the Inspection Settings.

Maybe this is a good log filter to use to gauge what traffic is currently being permitted by the Fail-open, and subsequently what traffic would be blocked with fail-close.