This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ClaudioSS
Participant
a week ago

How to create an exception rule for a specific attack in a given uri path?

If a false positive is noticed on a certain path, how can I set up a rule to accept that characteristic of the request path? Is there a manually way to fine tune or accept certain IPS or WAF signatures for a specific endpoint? I have already tried some options here in the Rules/Exceptions without success.

Thank you in advance.

0 Kudos
6 Replies
Bryan-Smith
Employee
Employee
Tuesday

Have you seen the example here: 

Setup Custom Rules and Exceptions | CloudGuard WAF

 

 

the_rock
Legend
Legend
Tuesday

I had customer ask me the same question recently and TAC provided the same as @Bryan-Smith 

Andy

0 Kudos
ClaudioSS
Participant
Tuesday
In response to the_rock

Thanks for the reply, Mr. Bryan-Smith.

Yes, I understand that section shows us how to create an exception for a query string parameter, but I supose this would completely bypass the URI path checking. So, I don't see how to specifically bypass something related to a false positive one other than disable all checking in there.

So, that's my million dollar question, how to bypass not all, but single signature?

By wildcard matching the signature content in the uri one by one? Maybe?

Bests regards

0 Kudos
Bryan-Smith
Employee
Employee
Tuesday
In response to ClaudioSS

If I am understanding the request correctly, you would need to include the IPS "Protection Name" that you are looking to bypass. The list of them can be found in the release notes. By combining multiple factors your exception can be very specific in nature and not bypass everything. 

https://portal.checkpoint.com/dashboard/appsec/cloudguardwaf#/waf-policy/release-notes/ips-signature... 

0 Kudos
ClaudioSS
Participant
Tuesday
In response to the_rock

Thanks, man, for the info!

I appreciate it.

Best regards.

the_rock
Legend
Legend
Tuesday
In response to ClaudioSS

No problem!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events