Solved: Re: Enabling web server security

KandarpDesai · ‎2019-04-24

Hi guys,
I have a checkpoint firewall with ngtx. I want to enable web security for my web servers (sql injection, cross site scripting etc.). I did this by creating a host of web server and enabled the protections.

Is that all or do I need to add something else somehwere too. In the guide it mentions the following "Enforcement of these protections are dependent on IPS profile" What does that mean?

Also how can I test that these protections are working via some testing method?

Lari_Luoma · ‎2019-04-29

Hi Vladimir,

1. Open a Core Protection

2. In General Tab double click a profile (e.g. Optimized)

3. Go to Advanced Tab

View solution in original post

_Val_ · ‎2022-01-19

Uh, that one. Drop obviously means, the connection will be terminated once this particual IPS protection is triggered. Accept here means it will be doing "monitor only" for this specific defence. You will get a log, but the connection will persist anyway. Good only for tuning.

View solution in original post

PhoneBoy · ‎2019-04-24

Protections can be enabled/disabled in your IPS profile and/or your Threat Prevention policy, depending on management and gateway version.
It would be helpful if you specified the exact steps you followed and provided some screenshots of exactly what you did.
Also, anytime you make changes to IPS, you need to push the Threat Prevention policy (Access Policy for R77.x Gateways).

As far as testing some of these protections, you can use a tool like Burp Suite.

KandarpDesai · ‎2019-04-24

Hi Phoneboy,

Thanks for suggesting BurpSuite, I have applied for a trial.

As for the steps, I did the following

- Created a new host
- Clicked on Servers>Web server>Protections
- Protections were enabled already.
- Pushed the Threat Policy ( exisiting Policy is Scope=Any and Action=Optimized )

KandarpDesai · ‎2019-04-25

Hi Guys,

Kindly help me to know if this is correct. Appreciate the help.

PhoneBoy · ‎2019-04-26

What does your Threat Prevention rulebase look like?

KandarpDesai · ‎2019-04-26

Dear PB,
My threat policy is "ANY" and "OPTIMIZED"

Cyber_Serge · ‎2019-04-26

I am curious about this as well. I thought we just need to configure the Profile protection and it will apply; This looks very specific to web server; do we need to configure all the web server object this way?

Wolfgang · ‎2019-04-26

Frank_Yao1,

to enable the Webserver-protections you have to enable the servertype Webserver and the protections on all your webservers host objects.

Wolfgang

KandarpDesai · ‎2019-04-26

Dear Wolfgang,

I want to confirm if my config is right or not.

PhoneBoy · ‎2019-04-29

Your configuration is correct (assuming gateway is R80.x).

Wolfgang · ‎2019-04-29

Yes Kandarp, you config looks good.

Wolfgang

PhoneBoy · ‎2019-04-29

This was required pre-R80.x, but I don't believe this is no longer required.

Vladimir · ‎2019-04-29

@PhoneBoy , please clarify:

Are we still required to configure the Web Server objects and their protections individually, or is the "Optimized" profile taking care of that irrespective to the target server?

Thank you,

Vladimir

P.S. It is really difficult to track which response is relevant to which thread in the forum unless person is mentioned by name and the excerpt from their post is included in the reply.

Wolfgang · ‎2019-04-29

@Vladimir and @PhoneBoy

I follow Vladimir, there should be a statement for the web security configuration.

I think it is too needed in R80.xx, there are no protections like „SQL injections, cross site scripting, etc. „ in the normal IPS protections.

Dameon, please can you clarify if needed or not.

Wolfgang

PhoneBoy · ‎2019-04-29

I'm checking this, but I don't believe it's required.

PhoneBoy · ‎2019-04-29

Checking on all of it 🙂
And yes, I'm aware we need to add indents in threads, but that's turning out to be a bigger problem to solve than it should be.

Lari_Luoma · ‎2019-04-29

Yes you are still required to do that. Those protections have moved to so called core protections that are installed with Access Control Policy. See my full response to this thread.

EDIT: I thought this response would have shown under Vladimir's question. Hmmm...

Lari_Luoma · ‎2019-04-29

Hi!

There two types of protections (or actually three if you count also inspection settings):

Threat Cloud Protections that are the actual IPS Protections updated from Check Point Threat Cloud. These protections are installed with the Threat Prevention Policy.

Core Protections are protections that require IPS blade, but are there by default (there are 39 of them or so). These protections are installed with the Access Control Policy.

Core Protections are assigned directly to the gateways with their profile. You can then select whether you want this specific protection to be assigned to a selected web server or not (if it's a web server related protection). If you know your web servers and have configured them, make sure "Apply to Selected Web Servers" is selected. Otherwise select "Apply to all HTTP Traffic". By clicking View you can view the web servers that you have configured in the host object as a web server.

Vladimir · ‎2019-04-29

@Lari_Luoma , how on earth did you get to see the screen from your post above 🙂 ?

I am pocking in both, R80.20 and R80.30 in Core Protections and all I am seeing is:

and when editing the selected "HTTP Header Patterns", I am seeing:

Which, IMHO, got to mean that the entire scope is protected and that there is no need to cherry-pick the Web Servers.

Am I looking at this wrong?

Lari_Luoma · ‎2019-04-29

Hi Vladimir,

1. Open a Core Protection

2. In General Tab double click a profile (e.g. Optimized)

3. Go to Advanced Tab

Vladimir · ‎2019-04-30

Thank you @Lari_Luoma ! I am looking at it now.

One comment for Check Point developers: If you have a protection that is not really being enforced until additional settings are configured, perhaps another icon and action should be defined for it (i.e. gear with "config required").

alex1972 · ‎2022-01-19

Hello Lary,

can you clarify the difference between Accept and Drop in IPS core protection Action?

thank you

CheckPointerXL · ‎2022-01-19

Hello Vladimir,

can you clarify the difference between Accept and Drop in action field?

thank you

_Val_ · ‎2022-01-19

There is no Accept in IPS, AFAIK. What are you trying to figure out?

CheckPointerXL · ‎2022-01-19

Hello Val,

thank you for your quick answer.

Please take a look to attached image.

I can't figure out the meaning of active/drop.

Inactive i guess that the ips core protection is never triggered... but what about Accept/Drop?

thanks!

_Val_ · ‎2022-01-19

Uh, that one. Drop obviously means, the connection will be terminated once this particual IPS protection is triggered. Accept here means it will be doing "monitor only" for this specific defence. You will get a log, but the connection will persist anyway. Good only for tuning.

CheckPointerXL · ‎2022-01-19

Great, thank you! So, basically, "accept" in IPS core protection is considered a kind of "detect" for IPS ThreatCloud protection, very confusing.
This information is not documented nowhere! Very helpful

Kind regards

Are you a member of CheckMates?

Enabling web server security