Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tom_barat
Participant

GAIA R80.10 IPS only blocks URL-based attacks

Hi,

It is my first time configuring checkpoint products and i am still having some issues with the IPS.

I have a R80.10 firewall module with IPS enabled ( and configured in a rather strict profile) and a vulnerable web server behind it.

When I attack the web server, the IPS properly detects URL-based attack ( for instance a SQLi where the injection is in URL parameters ) but it doesn't detect or block anything that is done in the "body" of the request, for instance in POST params.

As i am a beginner this could be induced by a stupid configuration mistake but i did not find any sk specific to that issue.

Thank you in advance for your time and help.

6 Replies
G_W_Albrecht
Legend
Legend

I can suggest the document Check Point R80.10 IPS Best Practices Guide for first time configuration. To check if there is a config issue, you can search the CVEs of the exploits tested.

CCSE CCTE CCSM SMB Specialist
0 Kudos
tom_barat
Participant

Hi, 

the CVE for SQL injection shows as "drop" for my IPS profile. It is more tricky for other exploits, like command injection over HTTP, where there is no CVE. It is, however, in prevention mode in my profile.

0 Kudos
G_W_Albrecht
Legend
Legend

The you had better ask TAC about this...

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

A continuation of this thread, I see: R80.10 Security Gatway IPS detects SQLi but not command injection

I'll ask the experts internally Smiley Happy

0 Kudos
tom_barat
Participant

Yes, although i poorly identified the problem at first, i thought it was best to open two threads to clarify that there are actually two different issues.

Thank you for your help.

PhoneBoy
Admin
Admin

It is two different issues, correct, but along the same lines Smiley Happy

The protection should cover all parts of the HTTP request, but it's possible something was missed.

I'm going to have R&D reach out to you privately to get the details of what you're doing so we can improve the protection.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events