- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi - wondering if IPS can prevent this from occurring. We host a few public facing websites behind an R80.40 gateway. Most of the recommended IPS defs are enabled, but we recently got dinged on an external pen test.
This is what the pen tester is able to do (he's referring to the CP gateway as the "WAF"):
"Finding #2 – IP Spoofing Web Application Firewall Bypass – It is still possible to bypass the WAF blocks by adding the “X-Forwarded-For” Header to the POST request and iterating the last octet for 127.0.0.x. Without the “X-Forwarded-For” header, I am blocked after 5 attempts. After adding, I could continue without the WAF hindering me indefinitely."
This is referring to a login screen over https.
Any ideas would be greatly appreciated.. thanks.
Until you've enabled HTTPS Inspection for inbound traffic to the relevant server, there's really nothing for us to do here as we cannot see the XFF header, much less take any action upon it.
Do you have HTTPS Inspection enabled?
Also when it is dropped after 5 attempts without the XFF header, is a specific IPS protection triggering?
thanks for the reply - two great questions.
we have the typical MITM https inspection for outgoing traffic, but not for incoming and there is no IPS protection triggered for the pen tester's connection. The web programmer doesn't know of anything in his code (cold fusion) or IIS that would do the 5 attempt lockout.
thank you.
Until you've enabled HTTPS Inspection for inbound traffic to the relevant server, there's really nothing for us to do here as we cannot see the XFF header, much less take any action upon it.
Thanks - that's what i figured, but wanted to ask. So....I imported the cert for this site, and created an inbound inspection rule to that server with me as the only source for testing. on just the home page about ten sql injection prevents were triggered just because file names had an "or" in it. Here's an example
The server sql-injection setting is "low" - does this seem crazy aggressive?
The "Low" in this case refers to performance impact of the protection.
Just to follow up on what Phoneboy said, the Performance Impact rating specifies how enabling that particular signature will impact SecureXL acceleration on the firewall. Here is a rough guide taken my my IPS Immersion self-guided video series:
The Performance Impact rating specifies the level of CPU processing overhead for the gateway enforcing this protection. Gaia embedded appliances (models 1200R–1500) or smaller Check Point gateway appliances will be much more heavily impacted by High and Critical–level IPS Protections than larger gateways.
• Critical – 100% of traffic subject to inspection by this Protection is ineligible for acceleration by SecureXL and will take the slowpath (F2F) through a R80.10 or earlier gateway. (We will cover IPS performance extensively in Module 10)
• High – Traffic inspected by this Protection will be inspected ~50% in the non–accelerated slowpath (F2F) and CPASXL path, and ~50% in the partially–accelerated Medium Path (PXL).
• Medium – 100% of traffic subject to inspection by this Protection will be handled in the partially–accelerated Medium Path (PXL) on the gateway.
• Very Low/Low – Protection is fully accelerated in the fastpath by SecureXL.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 13 | |
| 12 | |
| 9 | |
| 7 | |
| 7 | |
| 5 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASETue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY