cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to configure http max header length R77.30

Jump to solution

Hi Checkmates,

Using VSX mode, 2 checkpoint 12000 series, R77.30

I got this log when trying to access a website, and it deny access.

Anyone facing this problem already.

Please help me on this case,

Thank you guys,

Zed

1 Solution

Accepted Solutions

Re: How to configure http max header length R77.30

Jump to solution

Sure (if Checkpoint allows)

How to increase / disable max_header_length

Solution IDsk44674
ProductIPS
VersionR70, R71, R75, NGX R65, R76, R77
OSSecurePlatform, Windows, Linux
Platform / ModelAll
Date Created28-Apr-2010
Last Modified18-Feb-2014
Show more details
Show less details
Symptoms
  • Drops in SmartView Tracker: 'exceeded max_header-length' for product Smart Defense / IPS even though the value was changed under Smart Defense / IPS.
Cause

It was not changed for all instances in Smart Defense / IPS. Each profile has its own setting. All the settings need to be changed.

    

Solution

On the Security Management via GuiDBedit.

1.Log out of all smart console applications.

2.Log in to GuiDBedit.

3.Search guidbedit for the following data string http_max_header_length.
Make sure the value is the value you want it set to on all profiles (detailed below). The default is 2100, max is 12288. (Left side shows current value – changeable, right side shows default value – not changeable).
Then click Ctrl+F and click find next. You should see this parameter for each of the following object names. For each of them, perform the change. They should, but might not appear in the following order:

AdvancedSecurityObject
TemplateAdvancedSecurityObjectConnectra
DeactivatedAdvancedSecurityObject
AdvancedSecurityObjectConnectra

TemplateAdvancedSecurityObject

RecommendedAdvancedSecurityObject

If Smart Defense / IPS is deactivate and the issue persists (traffic still being dropped), adjust the DeactivatedAdvancedSecurityObject to the desired length.

4.After performing the changes, save and exit.

5.Install policy.

6.If the drop is still present, consider increasing the value even further.

In case the solution fails completely, consider disabling http_max_header_length enforcement:

1.Log out of all smart console applications.

2.Log in to GuiDBedit.

3.Search guidbedit for the following data string http_enforce_max_header_length.

Change it's value from true to false on all profiles:

AdvancedSecurityObject
TemplateAdvancedSecurityObjectConnectra
DeactivatedAdvancedSecurityObject
AdvancedSecurityObjectConnectra

TemplateAdvancedSecurityObject

RecommendedAdvancedSecurityObject

4.After performing the changes, save and exit.

5.Perform cpstop and cpstart on the Security Management.

6.Install policy.

and now to something completely different
6 Replies

Re: How to configure http max header length R77.30

Jump to solution

Hi Zed,

just check sk44674, maybe it helps.
Cheers
Vincent

and now to something completely different

Re: How to configure http max header length R77.30

Jump to solution

Hi Vincent, 

Thank for your reply. 

My UC account doesn't have advance access to see the Solution. Could you please capture the text for me.

Thank in advance,

Zed

0 Kudos

Re: How to configure http max header length R77.30

Jump to solution

Sure (if Checkpoint allows)

How to increase / disable max_header_length

Solution IDsk44674
ProductIPS
VersionR70, R71, R75, NGX R65, R76, R77
OSSecurePlatform, Windows, Linux
Platform / ModelAll
Date Created28-Apr-2010
Last Modified18-Feb-2014
Show more details
Show less details
Symptoms
  • Drops in SmartView Tracker: 'exceeded max_header-length' for product Smart Defense / IPS even though the value was changed under Smart Defense / IPS.
Cause

It was not changed for all instances in Smart Defense / IPS. Each profile has its own setting. All the settings need to be changed.

    

Solution

On the Security Management via GuiDBedit.

1.Log out of all smart console applications.

2.Log in to GuiDBedit.

3.Search guidbedit for the following data string http_max_header_length.
Make sure the value is the value you want it set to on all profiles (detailed below). The default is 2100, max is 12288. (Left side shows current value – changeable, right side shows default value – not changeable).
Then click Ctrl+F and click find next. You should see this parameter for each of the following object names. For each of them, perform the change. They should, but might not appear in the following order:

AdvancedSecurityObject
TemplateAdvancedSecurityObjectConnectra
DeactivatedAdvancedSecurityObject
AdvancedSecurityObjectConnectra

TemplateAdvancedSecurityObject

RecommendedAdvancedSecurityObject

If Smart Defense / IPS is deactivate and the issue persists (traffic still being dropped), adjust the DeactivatedAdvancedSecurityObject to the desired length.

4.After performing the changes, save and exit.

5.Install policy.

6.If the drop is still present, consider increasing the value even further.

In case the solution fails completely, consider disabling http_max_header_length enforcement:

1.Log out of all smart console applications.

2.Log in to GuiDBedit.

3.Search guidbedit for the following data string http_enforce_max_header_length.

Change it's value from true to false on all profiles:

AdvancedSecurityObject
TemplateAdvancedSecurityObjectConnectra
DeactivatedAdvancedSecurityObject
AdvancedSecurityObjectConnectra

TemplateAdvancedSecurityObject

RecommendedAdvancedSecurityObject

4.After performing the changes, save and exit.

5.Perform cpstop and cpstart on the Security Management.

6.Install policy.

and now to something completely different

Re: How to configure http max header length R77.30

Jump to solution

Hi Vincent,

Very appreciate for your help. Already sloved.

Thank you,

Zed

0 Kudos

Re: How to configure http max header length R77.30

Jump to solution

Hello Zed,

i am glad that I could help, you're welcome!

Cheers
Vincent

and now to something completely different
0 Kudos

Re: How to configure http max header length R77.30

Jump to solution

Hi Vincent,

Hope you're doing well, could you please help me capture solution of sk36161.

I'm requesting CP allow my account access to solution.

Thank you so much,

Zed