This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_Matt
Contributor
‎2021-12-14 06:57 AM

IPS: Connection accepted - But why?

Hi all,

I'm trying to find out why the connection below is accepted. Forensic reason is "HTTP parsing error detected. Bypassing the request as defined in the Inspection Settings." Precise Error is "illegal startline in request"

I'm not able to add an exception -> "This protection does not support exceptions"

2021-12-14 15_39_43-Log Details.png

The inspection setting "Non compliant HTTP" is set to inactive.

Thread Prevention blade is set to Fail-open. Could this be the cause?

Running on 80.40

Any ideas welcome

Kind regards

Oliver

Labels
0 Kudos
8 Replies
Marcel_Gramalla
Advisor
‎2021-12-14 07:10 AM

It's a bit confusing but this protection isn't directly from the IPS protections but from the general "Inspection Settings". You can add exceptions there. But keep in mind that you would have to enable this protection first and add exception for the connections you might need:
ips.JPG

 

We also have it disabled as it is standard in the default profile.

Oliver_Matt
Contributor
‎2021-12-14 07:33 AM
In response to Marcel_Gramalla

Hello Marcel,

confusing is the right word 🙂 As I've already mentioned in my post: Non compliant HTTP is already set to inactive. So why should this setting generate the log entry?

0 Kudos
Marcel_Gramalla
Advisor
‎2021-12-14 09:33 AM
In response to Oliver_Matt

Inactive actually doesn't mean it won't be logged - this is the same behavior with regular IPS exceptions. I honestly don't know what's the difference between detect and inactive but normally you have to also set the log column no "none" in order to do nothing. As you cannot do that with those inspection settings you would have to live with that I assume.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-14 10:50 AM
In response to Oliver_Matt

There are four overall types of IPS-related protections that all used to be part of the IPS blade prior to R80 but got (mostly) split out separately in R80+:

1) IPS ThreatCloud Protections (shield icon)

2) Inspection Settings (wrench icon)

3) Core Activations/Protections (only 39 of these - shield w/ firewall icon)

4) Geo Policy (legacy in R81+)

Regardless of type, exceptions are processed after the actual inspection occurs looking for that protection and simply changes the final decision (Prevent/Detect/etc.).  As such exceptions don't improve performance at all.  The ability to specify "Inactive" in an exception is indeed misleading, it probably should be "Ignore" which would be a bit more clear and slightly different than Detect.  For Inspection Settings specifically, hits against an exception there will always be logged and you can't change it.  Some Inspection Settings protections are inherent to the stateful inspection process and cannot directly be set to Inactive on the protection itself, let alone an exception.

The specific log you are seeing is related to an internal inspection failure and what to do when that happens (fail open or fail closed); in your case it failed open (bypass).  There is not a separate setting for Inspection Settings controlling this I'm aware of, I imagine it is keying off the Manage & Settings...Blades...Threat Prevention...Fail Mode option, even though Inspection Settings is supposed to be part of the Access Control policy.  See my commentary at the start of this article.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Oliver_Matt
Contributor
‎2021-12-15 01:01 AM
In response to Timothy_Hall

Hi Timothy,

thank you for clearing this up. I've already assumed that this logs are caused because of the fail-open setting. Will switch the Thread blade to fail-close and keep on monitoring.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-15 04:52 AM
In response to Oliver_Matt

Definitely keep an eye on things for awhile when changing from fail-open to fail-close, you may be surprised what gets broken as a result.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Oliver_Matt
Contributor
‎2021-12-16 04:34 AM
In response to Timothy_Hall

Seems we've been too optimistic with Fail-open / Fail-close. I've set the Thread Prevention Blade to Fail-close but these kind of logs are still being generated. Any other ideas what protection or setting causes this issue?

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-17 10:51 AM
In response to Oliver_Matt

Probably will need a TAC case for this, as I don't see where the fail mode is controlled from for Inspection Settings, it must not be using the TP Setting.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events