cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

GAIA R80.10 IPS only blocks URL-based attacks

Hi,

It is my first time configuring checkpoint products and i am still having some issues with the IPS.

I have a R80.10 firewall module with IPS enabled ( and configured in a rather strict profile) and a vulnerable web server behind it.

When I attack the web server, the IPS properly detects URL-based attack ( for instance a SQLi where the injection is in URL parameters ) but it doesn't detect or block anything that is done in the "body" of the request, for instance in POST params.

As i am a beginner this could be induced by a stupid configuration mistake but i did not find any sk specific to that issue.

Thank you in advance for your time and help.

6 Replies

Re: GAIA R80.10 IPS only blocks URL-based attacks

I can suggest the document Check Point R80.10 IPS Best Practices Guide for first time configuration. To check if there is a config issue, you can search the CVEs of the exploits tested.

0 Kudos

Re: GAIA R80.10 IPS only blocks URL-based attacks

Hi, 

the CVE for SQL injection shows as "drop" for my IPS profile. It is more tricky for other exploits, like command injection over HTTP, where there is no CVE. It is, however, in prevention mode in my profile.

0 Kudos

Re: GAIA R80.10 IPS only blocks URL-based attacks

The you had better ask TAC about this...

0 Kudos
Admin
Admin

Re: GAIA R80.10 IPS only blocks URL-based attacks

A continuation of this thread, I see: R80.10 Security Gatway IPS detects SQLi but not command injection

I'll ask the experts internally Smiley Happy

0 Kudos

Re: GAIA R80.10 IPS only blocks URL-based attacks

Yes, although i poorly identified the problem at first, i thought it was best to open two threads to clarify that there are actually two different issues.

Thank you for your help.

Admin
Admin

Re: GAIA R80.10 IPS only blocks URL-based attacks

It is two different issues, correct, but along the same lines Smiley Happy

The protection should cover all parts of the HTTP request, but it's possible something was missed.

I'm going to have R&D reach out to you privately to get the details of what you're doing so we can improve the protection.

0 Kudos