- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- CNAPP
- :
- illegal header format detected: invalid header fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
illegal header format detected: invalid header field
Having a specific HTTP POST request being blocked with the following in the message:
BlockHttpNonProtocolCompliant
Protocol Anomaly HTTP
illegal header format detected: invalid header field
Is there anything in the logs or some type of debug command that would show more details about the header? I'm hesitant to disable features or make system-wide workarounds; fixing how the application is configured would be the preferred work-around.
Pulling a packet capture just would be a needle in a haystack problem because these only represents 0.001% of all requests to the service.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic capture should show the header details
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume that has to be performed in real-time as the error occurs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If some attribute of this traffic is known ahead of time (IP address, etc.) you could set up a triggered packet capture to grab the traffic so you can analyze it: Max Capture Update 1: Taking "Triggered" Packet Captures.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Source and destination IP will always be the same. So it only helps if I can trigger based on a specific URL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do that, in your custom observable created to match the traffic and start the capture simply specify type "URL" and the URL in question.
now available at maxpowerfirewalls.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do below fw monitor example
say src ip is 1.1.1.1 and dst is 2.2.2.2 and dst port is 443, it would look something like below
fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"
It goes by "srcip,srcport,dstip,dstport, protocol" and they you can "twist" it the other way around
Hope that helps
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see below, not sure if those would help
Andy
https://support.checkpoint.com/results/sk/sk26440
https://support.checkpoint.com/results/sk/sk163481
https://support.checkpoint.com/results/sk/sk148013
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah, this is what diamond support provided.
I'm suspecting it's something really stupid like an invalid character in the header name or a missing': ' between the name and its value. So the first link is somewhat helpful as this is a possible cause.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That would make sense.