This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
tom_barat
Participant
‎2018-06-11 04:32 AM

GAIA R80.10 IPS only blocks URL-based attacks

Hi,

It is my first time configuring checkpoint products and i am still having some issues with the IPS.

I have a R80.10 firewall module with IPS enabled ( and configured in a rather strict profile) and a vulnerable web server behind it.

When I attack the web server, the IPS properly detects URL-based attack ( for instance a SQLi where the injection is in URL parameters ) but it doesn't detect or block anything that is done in the "body" of the request, for instance in POST params.

As i am a beginner this could be induced by a stupid configuration mistake but i did not find any sk specific to that issue.

Thank you in advance for your time and help.

6 Replies
G_W_Albrecht
Legend
Legend
‎2018-06-11 05:04 AM

I can suggest the document Check Point R80.10 IPS Best Practices Guide for first time configuration. To check if there is a config issue, you can search the CVEs of the exploits tested.

CCSE CCTE SMB Specialist
0 Kudos
tom_barat
Participant
‎2018-06-11 05:33 AM
In response to G_W_Albrecht

Hi, 

the CVE for SQL injection shows as "drop" for my IPS profile. It is more tricky for other exploits, like command injection over HTTP, where there is no CVE. It is, however, in prevention mode in my profile.

0 Kudos
G_W_Albrecht
Legend
Legend
‎2018-06-11 05:51 AM
In response to tom_barat

The you had better ask TAC about this...

CCSE CCTE SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2018-06-11 10:23 AM

A continuation of this thread, I see: R80.10 Security Gatway IPS detects SQLi but not command injection

I'll ask the experts internally Smiley Happy

0 Kudos
tom_barat
Participant
‎2018-06-11 11:53 PM
In response to PhoneBoy

Yes, although i poorly identified the problem at first, i thought it was best to open two threads to clarify that there are actually two different issues.

Thank you for your help.

PhoneBoy
Admin
Admin
‎2018-06-12 05:40 AM
In response to tom_barat

It is two different issues, correct, but along the same lines Smiley Happy

The protection should cover all parts of the HTTP request, but it's possible something was missed.

I'm going to have R&D reach out to you privately to get the details of what you're doing so we can improve the protection.

0 Kudos