Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Terri_Hawkins
Contributor

Non HTTP Traffic on HTTP Port Question

Hi All, I am looking for a little guidance on best practices for Inspection Settings.  I have Checkpoint R81 for the MGR and R80.40 on my gateways (soon to be upgraded).

The inspection setting I am specifically looking at is "Non HTTP Traffic on HTTP Port". I looked at the recommended and default profiles and both show "Inactive". I set mine to "Active" but just detecting so I could see the traffic.  There is so much of it!  Is there a reason now-a-days to have this set to inactive? Should we be expecting a lot of non-http traffic coming across on http ports? Is this no longer the threat it used to be? (I am just assuming it used to be a threat or why would they have created it to begin with and now have it inactive).

I found this article on cpug but it is from 2017. Looks like this company saw tons of traffic being dropped and it sounds like it caused issues for them. Unfortunately it was for Illegal Header Format and HTTP .9  https://www.cpug.org/forums/archive/index.php/t-22224.html 

SK117392 (mentioned in the article) does not appear to be available and SK163481 is about illegal header format detected (I have none of these), mine seem to be mostly illegal start line.

This advisory makes it sound to me like it is very important to stop the traffic, but it is also old so maybe that is why now it is set to inactive...
https://www.checkpoint.com/defense/advisories/public/2012/cpai-2012-118.html/ 

I am really going down a rabbit hole here, if anyone has any insight I would surely appreciate it.

Thanks
terri

0 Kudos
1 Reply
_Val_
Admin
Admin

The mentioned SK is available: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... however it is only applicable to older unsupported versions. 

Now, dropping non-HTTP traffic on Web ports may be a not a best idea. One of the cases is described in sk168612.

Since 2016, when TCP 80 port was widely used by all kind of connectivity because it is always open, nowadays most of those activities moved to 443, and are being encrypted. 

If you have concerns, you can enable it. Mind, it may affect some legiticate traffic too, if it is not exactly RFC compliant.

0 Kudos