This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fredlubrano
Participant
a month ago
Jump to solution

Can we disable the "HTTP protocol parser" or "HTTP inspection engine" for a specific connexion?

Hello all,

 

My main question concerns the IPS blade: is it possible to disable the HTTP protocol parser or HTTP inspection engine for a custom service?

Here are the details of the issue:

The customer is running R81.20 with the following components:

* Dedicated SmartCenter
* Dedicated SmartEvent
* Several Check Point clusters (Open Server) across multiple sites
* IPS is enabled, and under "Inspection Settings", the option “Non-compliant HTTP” is set to "Inactive". "Fail mode = Fail-Open"
* HTTPS Inspection is "disabled"

We are observing a lot of IPS alerts with the source IP (X.168.46.100) to the same destination (X.168.46.154 and X.168.46.180) over TCP port 50000. After checking with the customer, this traffic (TCP/50000) is SAP related

Log details:

-Forensic reason: “HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings.”
-Precise error: “illegal startline in request”

I found this discussion on the Check Point community:
 [https://community.checkpoint.com/t5/Threat-Prevention/IPS-Connection-accepted-But-why/td-p/136294](h...)
Timothy Hall clearly explains that the specific log is related to an "internal inspection failure", and the system behaved according to the configured policy — in this case, it “failed open (bypass)”.

However, this system error occurs specifically when communication happens between the same source and destinations on TCP/50000.


This leads me to believe that, for some reason, the "HTTP protocol parser" or "HTTP inspection engine" fails to analyze this custom service, triggering a system error.

Therefore, my question is:
We are dealing with a controlled flow (with clearly identified source and destination), would it be possible to disable "HTTP protocol parser" or "HTTP inspection engine" for this connexion? Or alternatively, to create an IPS exception rule? If creating an exception is the recommended approach, what criteria should be used?

I have attached a PDF document containing some configuration details

I hope my explanations are clear!

In advance, thank for your help

 

Regards

Labels
0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
a month ago
Jump to solution

These messages are almost certainly caused by the Inspection Settings, as HTTP parsing is a key part of many of the 146 Inspection Settings Protections.  Under Inspection Settings...Exceptions, try something like this:

is_exception.png

You will need two of these for your two destination IP addresses.  It is not well-known that it is possible to disable all Inspection Settings in a single exception, as shown above by specifying "Any" for the Protection and Profile settings.  Reinstall both Access Control and Threat Prevention policies, and start a NEW connection that will match the exception.

If you are still seeing the issue, some of 39 Core Activations may be the cause.  Try disabling them all for this traffic with a Core Activation exception like this:

core_exception.png

Reinstall both Access Control and Threat Prevention policies, and start a NEW connection that will match the exception.  If the issue persists, you may need to add a Threat Prevention Global Exception for this traffic under Threat Prevention...Exceptions, but I don't think that will be necessary.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
a month ago
Jump to solution

That would only happen if you have an HTTP handler on a custom service, or "Inspect HTTP on non-standard ports" setting is enabled, see under "Manage & Settings view > Blades > Threat Prevention > Advanced Settings".

0 Kudos
fredlubrano
Participant
a month ago
In response to _Val_
Jump to solution

Hello Val,

Thank you for your feedback.

I will disable the “Inspect HTTP on non-standard ports” option as you recommended.

However, since this option is global, is there any way to disable it for a specific connection or specific service instead?

Regarding the use of “HTTP Handlers”, I’m not very familiar with them — could you please share some documentation links explaining how to configure or implement them?

Thank you.

 

Regards

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
a month ago
Jump to solution

These messages are almost certainly caused by the Inspection Settings, as HTTP parsing is a key part of many of the 146 Inspection Settings Protections.  Under Inspection Settings...Exceptions, try something like this:

is_exception.png

You will need two of these for your two destination IP addresses.  It is not well-known that it is possible to disable all Inspection Settings in a single exception, as shown above by specifying "Any" for the Protection and Profile settings.  Reinstall both Access Control and Threat Prevention policies, and start a NEW connection that will match the exception.

If you are still seeing the issue, some of 39 Core Activations may be the cause.  Try disabling them all for this traffic with a Core Activation exception like this:

core_exception.png

Reinstall both Access Control and Threat Prevention policies, and start a NEW connection that will match the exception.  If the issue persists, you may need to add a Threat Prevention Global Exception for this traffic under Threat Prevention...Exceptions, but I don't think that will be necessary.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
fredlubrano
Participant
4 weeks ago
In response to Timothy_Hall
Jump to solution

Hello Thimothy,

Thank you for your recommendations.

I’ll implement them by next week.

 

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events