https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216181#M35907 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1905">@Dorit_Dor</a>&nbsp;<BR />Is a feature request for the future.<BR /><BR />Why can't you build a WAF in front of your web portals on the firewall in R82.x or R8x in the future? <BR />Then attacks like these would be intercepted on the Check Point firewall.</P> <P>Browser --&gt; (WAF with Https interseption as reverse proxy) --&gt; (Gaia Portal or MAB Portal)<BR />From my point of view, any WAF would sound an alarm when the following string ‘../../../../../’ is used in communication.</P> Mon, 03 Jun 2024 08:23:15 GMT HeikoAnkenbrand 2024-06-03T08:23:15Z https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216155#M35891 <P>Check Point has been selling firewalls for years and WAFs for some years now.<BR />The interesting question for me is why this is not combined.<BR /><BR />For example, there was a WAF in front of the GAIA portal (multi-portal) or the MAB portal, <BR />the attack (CVE-2024-24919) could easily have been detected and can be blocked.</P> <P>Technically, I don't see any difficulties in implementing something like this.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WAF_1_hggfhgfd553245.png" style="width: 509px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26031i7F81944B3234A376/image-dimensions/509x235?v=v2" width="509" height="235" role="button" title="WAF_1_hggfhgfd553245.png" alt="WAF_1_hggfhgfd553245.png" /></span><BR /><BR />And both technologies are available from Check Point.<BR />And you would be the first firewall manufacturer to protect its products in this way.</P> Mon, 03 Jun 2024 06:52:36 GMT https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216155#M35891 HeikoAnkenbrand 2024-06-03T06:52:36Z https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216157#M35893 <P>WAF is insufficient here. Full inbound HTTPS Inspection is required, and it is already being reviewed as an option. We are looking into this very seriously.&nbsp;</P> Mon, 03 Jun 2024 07:01:48 GMT https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216157#M35893 _Val_ 2024-06-03T07:01:48Z https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216181#M35907 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1905">@Dorit_Dor</a>&nbsp;<BR />Is a feature request for the future.<BR /><BR />Why can't you build a WAF in front of your web portals on the firewall in R82.x or R8x in the future? <BR />Then attacks like these would be intercepted on the Check Point firewall.</P> <P>Browser --&gt; (WAF with Https interseption as reverse proxy) --&gt; (Gaia Portal or MAB Portal)<BR />From my point of view, any WAF would sound an alarm when the following string ‘../../../../../’ is used in communication.</P> Mon, 03 Jun 2024 08:23:15 GMT https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216181#M35907 HeikoAnkenbrand 2024-06-03T08:23:15Z https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216321#M35946 <P>Hi Heiko</P> <P><SPAN>We are indeed considering additional protective measures to avoid such issues in the future.</SPAN><SPAN> Integrating &nbsp;WAF is one of the options.</SPAN></P> <P>Thanks</P> Tue, 04 Jun 2024 08:59:11 GMT https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216321#M35946 Gera_Dorfman 2024-06-04T08:59:11Z https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216627#M36051 <P>In a sense, we've provided this already in the form of vpnf.<BR />The new vpnf process (deployed through AutoUpdater or manually)&nbsp;captures and prevents attempts to execute path traversal.<BR /><SPAN>This was deployed as an interim preventative measure until the CVE-2024-24919 fixes&nbsp;are fully installed on customers’ Security Gateways.</SPAN><BR />More details here:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182376" target="_blank">https://support.checkpoint.com/results/sk/sk182376</A></P> <P>Despite the presence of vpnf,&nbsp;<STRONG>installing the Hotfix is the best way to stay protected from this vulnerability.</STRONG></P> Thu, 06 Jun 2024 01:23:36 GMT https://community.checkpoint.com/t5/General-Topics/Feature-Request-Firewall-WAF-would-have-been-protected-against/m-p/216627#M36051 PhoneBoy 2024-06-06T01:23:36Z