Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nabil_l
Explorer

IPS - HTTP parsing error detected

Hello,

 

I am getting lots of log related to 

IPS-ISSUE.PNG. Bypassing the request as defined in the Inspection Settings. in IPS Blage log. It is allowing the traffic.

Why its bypassing?

0 Kudos
23 Replies
the_rock
Legend
Legend

How do you have geo policy defined? I see Nepal as dst country.

Andy

0 Kudos
nabil_l
Explorer

Hello,

I have implemented default Optimized cloned rule, all the setting are by default.

0 Kudos
the_rock
Legend
Legend

That was not my question though. Im wondering how you have geo policy defined, ie are you using updatable objects for it? If not, what version is this and how is legacy geo policy defined? Can you send a screenshot?

Andy

0 Kudos
nabil_l
Explorer

I have not configured any geo policy . This is R81.10 version.

0 Kudos
nabil_l
Explorer

I have not define any geo policy for now, all coutry name is shown in IPS Blade log with their public IPs.

0 Kudos
nabil_l
Explorer

Above screenshot is from Server to One of the public client, IPS is detecting but is not taking any action and allowing to pass the traffic.

0 Kudos
the_rock
Legend
Legend

I would see what remediation options it gives and follow that. Usually, inspection settings ALWAYS show as default, UNLESS you really want to protect further against ddos, then you set it to recommended. But again, this is DIFFERENT than optimized profile for IPS.

Andy

0 Kudos
nabil_l
Explorer

No any remediation available for this result as it has not detected any Attack Name, Protection Type, Protection Details. Is there is any way to block or inspect this type of Traffic i case any Event is detected by IPS Blade.

0 Kudos
the_rock
Legend
Legend

Screenshot_2.png

0 Kudos
nabil_l
Explorer

Even after doing this still i am getting same bypass log.

0 Kudos
nabil_l
Explorer

When i click on Add Exception, it say This protection Doesnot support Exception.

0 Kudos
the_rock
Legend
Legend

Then it has to be done via inspection settings.

0 Kudos
Timothy_Hall
Legend Legend
Legend

It is bypassing because you have fail-open (the default) set under Manage & Settings...Blades...Threat Prevention...Advanced Settings...General Settings...Fail Mode.  This setting still controls the Inspections Settings protections too even though they are part of the Access Control policy now (but didn't used to be). 

A situation occurred in which the inspection engine could not properly scan the traffic due to it being out of state, and the default behavior is to let it through.  Be careful about setting fail-close here since any traffic that cannot be properly scanned will be denied.  There are many, many situations that this can apply to that you may not be expecting, such as a password-protected zip file or a file larger than 150MB being encountered with certain types of inspection set.  These will start getting denied if you change this setting.

This setting is covered in the new Check Point Threat Prevention Specialist 2-day course, which was released to ATCs worldwide last month.  I recently ran this class for the first time and it got rave reviews for its detailed coverage of IPS (including Inspection Settings), AV, and ABOT.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
nabil_l
Explorer

Thank you for this info

0 Kudos
the_rock
Legend
Legend

Honestly though, if I were you, I would still open TAC case about it.

Andy

0 Kudos
nabil_l
Explorer

Hello, I have opened TAC. Thank you for your sugessation.

0 Kudos
the_rock
Legend
Legend

Well, thats default setting out of the box, but let @nabil_l confirm how its configured.

0 Kudos
nabil_l
Explorer

Hello, I have used default setting and not changed Fail Safe mode.  Failsafe mode is in bypass.

0 Kudos
the_rock
Legend
Legend

You can try change it, but not sure it may make a difference, but worth a shot.

Andy

0 Kudos
nabil_l
Explorer

I cant try this, as it is production environment and cant take risk.

0 Kudos
emmap
Employee
Employee

I've seen this before and it started with Chrome browsers enabled that hybridised kyber thing. We enabled some support for it in JHF take 150 but I've not been able to validate if this stops those IPS accepts. What JHF take do you have on that gateway?

0 Kudos
nabil_l
Explorer

JHF 130

0 Kudos
emmap
Employee
Employee

If you can, it would be good to update to the current recommended JHF and see if that has an effect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events