- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: Firewall as Proxy and Error Pages
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall as Proxy and Error Pages
We have a R80.10 cluster which has Firewall, IPS, Anti-Virus and Anti-Bot Blades in place and it is being used as a parent proxy. When the IPS/AV detect a virus signature (in this case the test Eicar virus) it drops the connection to the child proxy, however if the Anti-bot detects an issue which is classed as reputation it is redirected to the UserCheck error pages. How do we set up the firewall to redirect all the "proxying" requests to UserCheck when there is a Threat Prevention issue ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the firewall an explicit proxy in this case?
Because if so, we may not be able to redirect the traffic to a UserCheck page.
See: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy
Otherwise, a diagram of how the proxies are configured (related to users and Internet) would be helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is being used as an explicit proxy.
The browsers are setup to use a proxy on the internal network which is configured to use the firewall as a parent proxy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not 100% as we don't manage the internal proxy but believe it is using a proxy.pac file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I suspect is happening is that AV/IPS cannot see there's something to block until well after the connection is established (almost over in the case of AV).
As we are past the point of being able to inject any sort of redirect at that point, it's not possible for us to inject a UserCheck page.
As a result, we just drop the connection, which I assume the client proxy then picks up as an issue and displays its own page.
With an Anti-bot reputation, we can check that before a real connection is established and thus display a UserCheck page to the user.
The comment I was going to make about proxy.pac file is to make sure that connections redirected to the gateway itself are not sent through a proxy, which may already be happening.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for looking at this and answering the question, appreciated.
