This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jon_AK
Contributor
‎2024-08-30 10:18 AM
Jump to solution

Create Allow rule for specific IP address

Good morning.  I have a Quantum Spark 1575 appliance that I cannot seem to get a rule to work to allow from & to a specific IP address.  Our accounting system is a predominatly PHP app that runs on a Ubuntu 24..04 server.  In the program is a update link for checking / updating the accounting software.  When the link is executed, it fails to run but not 100% certain it is the firewall appliance.  The logs are showing the IPS blade intercepting & blocking a command injection which under normal circumstances would be good.  However, I verified it is occuring when executing the update link.  I tried creating rules from the Thread Prevention -> Exceptions, new Access policy & even going as far as disabling all blades but cannot get the IPS to stop blocking the outgoing / incoming connection.  Apparently, the continuing discussion with their tech support shows no functionality impairments or errors so, trying to eliminate this problem.  Where & how to proceed???

Preview file
164 KB
0 Kudos
1 Solution

Accepted Solutions
AkosBakos
Advisor
‎2024-08-30 11:01 AM
Jump to solution

Hi @Jon_AK 

I suppose that, you sre using central management. (if not, and you are using local management, the method can be similar)

If I understand correctly you are unable to create an exception for this "command injection" 

I don't know how tried to do that but you can apply an exception by the Core protections

The descriptions of the steps is under the screenshot

exception.png

1-3 steps: this is straightforward
4-5: add the "Type" critera to the filter column
6: select the Core
7: choose the "command injection"
8: select exceptions
9: add the exception as you wish

Unfortunately I can't test it in my lab, because I can't reproducate the issue.

The corresponding documentation: documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

Editing Core IPS Protections

To edit core protections

 

I hope it helps,

Akos

----------------
\m/_(>_<)_\m/

View solution in original post

0 Kudos
5 Replies
AkosBakos
Advisor
‎2024-08-30 11:01 AM
Jump to solution

Hi @Jon_AK 

I suppose that, you sre using central management. (if not, and you are using local management, the method can be similar)

If I understand correctly you are unable to create an exception for this "command injection" 

I don't know how tried to do that but you can apply an exception by the Core protections

The descriptions of the steps is under the screenshot

exception.png

1-3 steps: this is straightforward
4-5: add the "Type" critera to the filter column
6: select the Core
7: choose the "command injection"
8: select exceptions
9: add the exception as you wish

Unfortunately I can't test it in my lab, because I can't reproducate the issue.

The corresponding documentation: documentation: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

Editing Core IPS Protections

To edit core protections

 

I hope it helps,

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Jon_AK
Contributor
‎2024-08-30 11:22 AM
In response to AkosBakos
Jump to solution

Unfortunately, my screens don't come close to yours.  I believe I found the core protections but the only thing available to do is disable or set to log onlyQuantumSpark1575.png

 

0 Kudos
AkosBakos
Advisor
‎2024-08-30 11:31 AM
In response to Jon_AK
Jump to solution

It is a locally managed device. 😞 I don't have SMB appliance with local management, so I can't help further. 
Otherwise. why don't you open a ticket by TAC? There are a lot of SMB experts 🙂

----------------
\m/_(>_<)_\m/
0 Kudos
Jon_AK
Contributor
‎2024-08-30 11:34 AM
In response to Jon_AK
Jump to solution

Ok, I am not sure what I was doing wrong, been to this particular setting several times but with the 1575 on local administration, it is Threat Prevention -> Exceptions.  In the Protection column, Can't just type in Command Injection, had to search for it & then select it from the list.  This was the first place I went to when working to allow this connection but could not get it to work.  Now it is working fine.  Thank you for your help.  Guess I just wasn't holding my mouth right.....
CommandInjectionSetting.png

 

0 Kudos
AkosBakos
Advisor
‎2024-08-30 11:44 AM
In response to Jon_AK
Jump to solution

No worries, that's why the forum was created (I think). And thanks for the screenshot, I haven't seen it before how is it looks like on a SMB appliance.

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events