This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dcatpegs
Participant
‎2019-11-07 12:58 PM
Jump to solution

HTTP Inspection in R80 - HTTP 0.9 Blocked

I have been kicking this around with support for a few weeks now and hoping to see if anyone else noticed this.

We have been R77.30 for years and started upgrading to R80.20.  After upgrading the Security Gateways in a test site to R80 I started noticing some blocked traffic.

The request is simply "GET /"

The reason info is

Reason: illegal header format detected: Malformed HTTP protocol name in request
Information: illegal header format detected
Name: Block HTTP Non Compliant

It is definitely blocking due to the lack of version on the end of the request "GET / HTTP/1.0".  My argument is that HTTP 0.9 while not widely used is still used by large vendors like F5 on their default health checks.

Has anyone else noticed this behavior when going from R77 to R80?

My issue is I do not want to add an exclusion if I can avoid it because this would disable all HTTP inspection for our load balancers until we could change any health checks and there seems to be no way to still support HTTP 0.9

Did CheckPoint deprecate HTTP 0.9 without any notice?

Has anyone else noticed this?

0 Kudos
1 Solution

Accepted Solutions
dcatpegs
Participant
‎2019-11-11 06:39 AM
Jump to solution

CheckPoint responded with sk163481.  The dates are well after my ticket was created so my ticket most likely prompted the creation of this.  Fun find!

View solution in original post

3 Replies
FedericoMeiners
Advisor
‎2019-11-07 03:59 PM
Jump to solution

Hello,

There is no much information regarding HTTP 0.9 being deprecated, most of the time you have to solve this by adding exceptions to the inspection settings as you stated.

I managed to find sk117392 were the following kernel parameter is presented to avoid these errors:

To check the current value of this kernel parameter:
[Expert@HostName]# fw ctl get int ws_strict_parsing
To set the desired value for this kernel parameter on-the-fly (does not survive reboot):
[Expert@HostName]# fw ctl set int ws_strict_parsing 0

I would highly suggest you to contact the TAC about this inquiry and the proposed flag.

Hope it helps

__

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
dcatpegs
Participant
‎2019-11-07 04:18 PM
In response to FedericoMeiners
Jump to solution

I found that article as well.  I don't know that I need to set that option on the firewall as the inspection policy has something similar as well that could be unchecked.

I think this was an oversight that HTTP 0.9 did not require a version.  Granted HTTP 1.0 was circa 96 so they likely inadvertently deprecated it.

0 Kudos
dcatpegs
Participant
‎2019-11-11 06:39 AM
Jump to solution

CheckPoint responded with sk163481.  The dates are well after my ticket was created so my ticket most likely prompted the creation of this.  Fun find!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events