Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Advisor

illegal header format detected: invalid header field

Having a specific HTTP POST request being blocked with the following in the message:

 

 

BlockHttpNonProtocolCompliant
Protocol Anomaly HTTP
illegal header format detected: invalid header field

 

 

Is there anything in the logs or some type of debug command that would show more details about the header?  I'm hesitant to disable features or make system-wide workarounds; fixing how the application is configured would be the preferred work-around.

Pulling a packet capture just would be a needle in a haystack problem because these only represents 0.001% of all requests to the service.   

0 Kudos
9 Replies
_Val_
Admin
Admin

Traffic capture should show the header details

0 Kudos
johnnyringo
Advisor

I assume that has to be performed in real-time as the error occurs? 

0 Kudos
Timothy_Hall
Legend Legend
Legend

If some attribute of this traffic is known ahead of time (IP address, etc.) you could set up a triggered packet capture to grab the traffic so you can analyze it: Max Capture Update 1: Taking "Triggered" Packet Captures.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
johnnyringo
Advisor

Source and destination IP will always be the same.  So it only helps if I can trigger based on a specific URL 

0 Kudos
Timothy_Hall
Legend Legend
Legend

You can do that, in your custom observable created to match the traffic and start the capture simply specify type "URL" and the URL in question.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
the_rock
Legend
Legend

You can do below fw monitor example 

say src ip is 1.1.1.1 and dst is 2.2.2.2 and dst port is 443, it would look something like below

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

It goes by "srcip,srcport,dstip,dstport, protocol" and they you can "twist" it the other way around

Hope that helps

Andy

0 Kudos
johnnyringo
Advisor

yeah, this is what diamond support provided.  

I'm suspecting it's something really stupid like an invalid character in the header name or a missing': ' between the name and its value.  So the first link is somewhat helpful as this is a possible cause.

0 Kudos
the_rock
Legend
Legend

That would make sense.

0 Kudos