This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Neil_Plastow
Participant
‎2018-07-20 03:39 AM

Firewall as Proxy and Error Pages

We have a R80.10 cluster which has Firewall, IPS, Anti-Virus and Anti-Bot Blades in place and it is being used as a parent proxy. When the IPS/AV detect a virus signature (in this case the test Eicar virus) it drops the connection to the child proxy, however if the Anti-bot detects an issue which is classed as reputation it is redirected to the UserCheck error pages. How do we set up the firewall to redirect all the "proxying" requests to UserCheck when there is a Threat Prevention issue ?

6 Replies
PhoneBoy
Admin
Admin
‎2018-07-20 12:16 PM

Is the firewall an explicit proxy in this case?

Because if so, we may not be able to redirect the traffic to a UserCheck page.

See: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy 

Otherwise, a diagram of how the proxies are configured (related to users and Internet) would be helpful.

0 Kudos
Neil_Plastow
Participant
‎2018-07-23 02:29 AM
In response to PhoneBoy

Yes it is being used as an explicit proxy.

The browsers are setup to use a proxy on the internal network which is configured to use the firewall as a parent proxy.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-23 07:27 AM
In response to Neil_Plastow

How are the clients configured to use your other proxy? By IP/host or through a proxy.pac somewhere?


0 Kudos
Neil_Plastow
Participant
‎2018-07-23 08:08 AM
In response to PhoneBoy

Not 100% as we don't manage the internal proxy but believe it is using a proxy.pac file.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-23 08:28 AM
In response to Neil_Plastow

What I suspect is happening is that AV/IPS cannot see there's something to block until well after the connection is established (almost over in the case of AV).

As we are past the point of being able to inject any sort of redirect at that point, it's not possible for us to inject a UserCheck page.

As a result, we just drop the connection, which I assume the client proxy then picks up as an issue and displays its own page.

With an Anti-bot reputation, we can check that before a real connection is established and thus display a UserCheck page to the user.

The comment I was going to make about proxy.pac file is to make sure that connections redirected to the gateway itself are not sent through a proxy, which may already be happening.

0 Kudos
Neil_Plastow
Participant
‎2018-07-23 08:45 AM
In response to PhoneBoy

Thanks for looking at this and answering the question, appreciated.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events