Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jon_AK
Contributor
Jump to solution

Create Allow rule for specific IP address

Good morning.  I have a Quantum Spark 1575 appliance that I cannot seem to get a rule to work to allow from & to a specific IP address.  Our accounting system is a predominatly PHP app that runs on a Ubuntu 24..04 server.  In the program is a update link for checking / updating the accounting software.  When the link is executed, it fails to run but not 100% certain it is the firewall appliance.  The logs are showing the IPS blade intercepting & blocking a command injection which under normal circumstances would be good.  However, I verified it is occuring when executing the update link.  I tried creating rules from the Thread Prevention -> Exceptions, new Access policy & even going as far as disabling all blades but cannot get the IPS to stop blocking the outgoing / incoming connection.  Apparently, the continuing discussion with their tech support shows no functionality impairments or errors so, trying to eliminate this problem.  Where & how to proceed???

0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Advisor

Hi @Jon_AK 

I suppose that, you sre using central management. (if not, and you are using local management, the method can be similar)

If I understand correctly you are unable to create an exception for this "command injection" 

I don't know how tried to do that but you can apply an exception by the Core protections

The descriptions of the steps is under the screenshot

exception.png

1-3 steps: this is straightforward
4-5: add the "Type" critera to the filter column
6: select the Core
7: choose the "command injection"
8: select exceptions
9: add the exception as you wish

Unfortunately I can't test it in my lab, because I can't reproducate the issue.

The corresponding documentation: documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

 

I hope it helps,

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

0 Kudos
5 Replies
AkosBakos
Advisor

Hi @Jon_AK 

I suppose that, you sre using central management. (if not, and you are using local management, the method can be similar)

If I understand correctly you are unable to create an exception for this "command injection" 

I don't know how tried to do that but you can apply an exception by the Core protections

The descriptions of the steps is under the screenshot

exception.png

1-3 steps: this is straightforward
4-5: add the "Type" critera to the filter column
6: select the Core
7: choose the "command injection"
8: select exceptions
9: add the exception as you wish

Unfortunately I can't test it in my lab, because I can't reproducate the issue.

The corresponding documentation: documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

 

I hope it helps,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Jon_AK
Contributor

Unfortunately, my screens don't come close to yours.  I believe I found the core protections but the only thing available to do is disable or set to log onlyQuantumSpark1575.png

 

0 Kudos
AkosBakos
Advisor

It is a locally managed device. 😞 I don't have SMB appliance with local management, so I can't help further. 
Otherwise. why don't you open a ticket by TAC? There are a lot of SMB experts 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
Jon_AK
Contributor

Ok, I am not sure what I was doing wrong, been to this particular setting several times but with the 1575 on local administration, it is Threat Prevention -> Exceptions.  In the Protection column, Can't just type in Command Injection, had to search for it & then select it from the list.  This was the first place I went to when working to allow this connection but could not get it to work.  Now it is working fine.  Thank you for your help.  Guess I just wasn't holding my mouth right.....
CommandInjectionSetting.png

 

0 Kudos
AkosBakos
Advisor

No worries, that's why the forum was created (I think). And thanks for the screenshot, I haven't seen it before how is it looks like on a SMB appliance.

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events