This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Parabol
Contributor
‎2023-07-18 03:00 AM

Fail Mode in Threat Prevention settings - good idea to change to fail-close?

Hi all,

I noticed in our IPS logs many "Accept" events, from Internet traffic accessing our DMZ systems. Opening the logs, in forensic details it shows:

"HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings."

And the precise error as:

"illegal startline in request"

I do not totally understand this error, and whether it should be a cause for concern. To me it sounds like the firewall couldn't properly inspect the traffic and so defaults to accept? But as I understand, it "Accepts" this due to the fail mode being set to "Fail-open" as is default. (Setting found in: Manage & settings --> Blades --> Threat Prevention --> Advanced Settings)

Is it a better practice to change this to Fail-close, would this prevent traffic like above instead of accepting? Is there a log filter to identify exactly what traffic this would block? 

I appreciate any feedback you can offer, maybe some of you guys have changed to Fail-close and know of any risk? 

  • Allow all connections (Fail-open) - All connections are allowed in a situation of engine overload or failure (default).
  • Block all connections (Fail-close) - All connections are blocked in a situation of engine overload or failure.

To me this sounds like it could be a security risk, if threat prevention was to allow all traffic in the event of overload/failure.

 

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-07-18 05:52 AM

A previous similar discussion was had here:

https://community.checkpoint.com/t5/Threat-Prevention/IPS-Connection-accepted-But-why/td-p/136294

Yes fail-close is more secure.

Which gateway version and hotfix is used, if it's already current I would follow-up with TAC to investigate further.

 

CCSM R77/R80/ELITE
Parabol
Contributor
‎2023-07-18 07:18 AM
In response to Chris_Atkinson

Thanks Chris, we are running R81.10 soon to be R81.20. 

I suppose any traffic currently accepted by this will have the message included in it's log:

Bypassing the request as defined in the Inspection Settings.

Maybe this is a good log filter to use to gauge what traffic is currently being permitted by the Fail-open, and subsequently what traffic would be blocked with fail-close.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events