This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ANANTADSULE
Contributor
‎2023-08-04 11:58 PM

IPS exception not working QS 1550 R81.10.07

Hello everyone.

I have created Command injection IPS exception for anywheremail.qlc.co.in domain,but firewall is preventing traffic.Added above domain to URL allowlist as well.I want to bypass IPS only,not HTTPS inspection because it's business email service.

Check Point's 1550 Appliance R81.10.07 - Build 430

All subscriptions & licenses are valid,No errors in configload_status.

 

0 Kudos
5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2023-08-05 07:32 AM

Command Injection is a Core Activation (not IPS ThreatCloud Protection) and as such general Threat Prevention exceptions do not apply to it.  You need to add a Core Activation exception by editing the Command Injection protection itself and adding the exception there.  If that doesn't work: sk171624: False positive drop for "SQL Injection" and "Command Injection" IPS protections

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Daniel_Cimpeanu
Collaborator
‎2023-09-19 12:45 AM
In response to Timothy_Hall

Hi Timothy,

Would this be valid for QLS250? I'm seeing the same behaviour, with traffic being dropped despite having an IPS exception.

Thanks,

Daniel 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-19 02:06 AM
In response to Daniel_Cimpeanu

Yes - this is IPS AND not specific to Spark SMB.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
pedro_filipe
Explorer
‎2023-12-15 02:26 AM

Hey,

I am having the same problem with a 1570. Did you find a way to bypass this False Positive?

Regards

0 Kudos
ANANTADSULE
Contributor
‎2023-12-15 11:45 PM
In response to pedro_filipe

You need to create Threat prevention exception for Source-LAN,Destination-any,Protection - Command injection,Service-any,Action-Inactive.

As suggested by TAC.

The exception should apply to traffic from inside the organization to the outside. This protection is specifically for internal servers, so everything else should be excluded.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events