Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Parabol
Contributor

Fail Mode in Threat Prevention settings - good idea to change to fail-close?

Hi all,

I noticed in our IPS logs many "Accept" events, from Internet traffic accessing our DMZ systems. Opening the logs, in forensic details it shows:

"HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings."

And the precise error as:

"illegal startline in request"

I do not totally understand this error, and whether it should be a cause for concern. To me it sounds like the firewall couldn't properly inspect the traffic and so defaults to accept? But as I understand, it "Accepts" this due to the fail mode being set to "Fail-open" as is default. (Setting found in: Manage & settings --> Blades --> Threat Prevention --> Advanced Settings)

Is it a better practice to change this to Fail-close, would this prevent traffic like above instead of accepting? Is there a log filter to identify exactly what traffic this would block? 

I appreciate any feedback you can offer, maybe some of you guys have changed to Fail-close and know of any risk? 

  • Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
  • Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

To me this sounds like it could be a security risk, if threat prevention was to allow all traffic in the event of overload/failure.

 

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee

A previous similar discussion was had here:

https://community.checkpoint.com/t5/Threat-Prevention/IPS-Connection-accepted-But-why/td-p/136294

Yes fail-close is more secure.

Which gateway version and hotfix is used, if it's already current I would follow-up with TAC to investigate further.

 

CCSM R77/R80/ELITE
Parabol
Contributor

Thanks Chris, we are running R81.10 soon to be R81.20. 

I suppose any traffic currently accepted by this will have the message included in it's log:

Bypassing the request as defined in the Inspection Settings.

Maybe this is a good log filter to use to gauge what traffic is currently being permitted by the Fail-open, and subsequently what traffic would be blocked with fail-close.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events