This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nabil_l
Explorer
‎2024-08-03 03:26 AM

IPS - HTTP parsing error detected

Hello,

 

I am getting lots of log related to 

IPS-ISSUE.PNG. Bypassing the request as defined in the Inspection Settings. in IPS Blage log. It is allowing the traffic.

Why its bypassing?

0 Kudos
24 Replies
the_rock
MVP Gold
MVP Gold
‎2024-08-03 05:06 AM

How do you have geo policy defined? I see Nepal as dst country.

Andy

0 Kudos
nabil_l
Explorer
‎2024-08-03 05:12 AM
In response to the_rock

Hello,

I have implemented default Optimized cloned rule, all the setting are by default.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-03 05:16 AM
In response to nabil_l

That was not my question though. Im wondering how you have geo policy defined, ie are you using updatable objects for it? If not, what version is this and how is legacy geo policy defined? Can you send a screenshot?

Andy

0 Kudos
nabil_l
Explorer
‎2024-08-03 05:20 AM
In response to the_rock

I have not configured any geo policy . This is R81.10 version.

0 Kudos
nabil_l
Explorer
‎2024-08-03 05:18 AM
In response to the_rock

I have not define any geo policy for now, all coutry name is shown in IPS Blade log with their public IPs.

0 Kudos
nabil_l
Explorer
‎2024-08-03 05:19 AM
In response to the_rock

Above screenshot is from Server to One of the public client, IPS is detecting but is not taking any action and allowing to pass the traffic.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-03 05:33 AM
In response to nabil_l

I would see what remediation options it gives and follow that. Usually, inspection settings ALWAYS show as default, UNLESS you really want to protect further against ddos, then you set it to recommended. But again, this is DIFFERENT than optimized profile for IPS.

Andy

0 Kudos
nabil_l
Explorer
‎2024-08-03 05:41 AM
In response to the_rock

No any remediation available for this result as it has not detected any Attack Name, Protection Type, Protection Details. Is there is any way to block or inspect this type of Traffic i case any Event is detected by IPS Blade.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-03 06:10 AM
In response to nabil_l

Screenshot_2.png

0 Kudos
nabil_l
Explorer
‎2024-08-03 06:45 AM
In response to the_rock

Even after doing this still i am getting same bypass log.

0 Kudos
nabil_l
Explorer
‎2024-08-03 06:56 AM

When i click on Add Exception, it say This protection Doesnot support Exception.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-03 10:10 AM
In response to nabil_l

Then it has to be done via inspection settings.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-08-03 07:40 AM

It is bypassing because you have fail-open (the default) set under Manage & Settings...Blades...Threat Prevention...Advanced Settings...General Settings...Fail Mode.  This setting still controls the Inspections Settings protections too even though they are part of the Access Control policy now (but didn't used to be). 

A situation occurred in which the inspection engine could not properly scan the traffic due to it being out of state, and the default behavior is to let it through.  Be careful about setting fail-close here since any traffic that cannot be properly scanned will be denied.  There are many, many situations that this can apply to that you may not be expecting, such as a password-protected zip file or a file larger than 150MB being encountered with certain types of inspection set.  These will start getting denied if you change this setting.

This setting is covered in the new Check Point Threat Prevention Specialist 2-day course, which was released to ATCs worldwide last month.  I recently ran this class for the first time and it got rave reviews for its detailed coverage of IPS (including Inspection Settings), AV, and ABOT.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
nabil_l
Explorer
‎2024-08-03 08:54 AM
In response to Timothy_Hall

Thank you for this info

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-04 10:52 AM
In response to nabil_l

Honestly though, if I were you, I would still open TAC case about it.

Andy

0 Kudos
nabil_l
Explorer
‎2024-08-04 07:36 PM
In response to the_rock

Hello, I have opened TAC. Thank you for your sugessation.

0 Kudos
_karruma_
Explorer
‎2025-01-09 04:38 AM
In response to nabil_l

Hello, Please tell me, did you manage to find a solution to this problem?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-03 10:30 AM
In response to Timothy_Hall

Well, thats default setting out of the box, but let @nabil_l confirm how its configured.

0 Kudos
nabil_l
Explorer
‎2024-08-03 08:48 PM
In response to the_rock

Hello, I have used default setting and not changed Fail Safe mode.  Failsafe mode is in bypass.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-08-04 08:36 AM
In response to nabil_l

You can try change it, but not sure it may make a difference, but worth a shot.

Andy

0 Kudos
nabil_l
Explorer
‎2024-08-04 07:36 PM
In response to the_rock

I cant try this, as it is production environment and cant take risk.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-04 09:43 PM

I've seen this before and it started with Chrome browsers enabled that hybridised kyber thing. We enabled some support for it in JHF take 150 but I've not been able to validate if this stops those IPS accepts. What JHF take do you have on that gateway?

0 Kudos
nabil_l
Explorer
‎2024-08-07 04:38 AM
In response to emmap

JHF 130

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-08-08 12:53 AM
In response to nabil_l

If you can, it would be good to update to the current recommended JHF and see if that has an effect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events