Hi, thank you for moving the question to the appropriate location.
I don't even have enough privileges to see sk solutions so i don't think i can open support tickets, please let me know if i am mistaken.

As a partner (based on the email address in your profile), I would think you could open support tickets.

You should have SK access at the very least.

In any case, have you looked into these protections?

Note that one of them is actually a "Core Protection" (enforced in the firewall versus IPS):

I will try to open a support ticket.

The protections you showed are all in prevent mode in my IPS profile, the "core prevention" one is in drop mode.

Thank you for your answer but i think you might have misread the question. SQLi is not the problem, these injections are properly blocked and the FW module behaves as expected for this type of attacks.

Command injection is the issue. However, i checked the command injection protections in IPS protections, and " command injection over HTTP" is indeed in prevent mode for the profile associated to my FW module.

I checked with our team that works on IPS protections.

The protection is currently focusing more on other commands which can do more damage.

"ls" doesn't cause damage on it's own

That said, we're working on updating the signatures to address this--expected timeframe is end of this week.

Okay thank you, i guess i could have tried with " rm " or some "wget" to see what was happening.

Also the XSS attacks i tried were harmless js scripts containing " alert('hello'); " and they were blocked so i assumed it was the exploitation of the vulnerability that was blocked, regardless of whether this exploitation was harmful.

Anyway thanks for the info.

FYI the protection this should trigger on is Command Injection over HTTP.

This signature should receive an update in the near future.

Thank you for following up on this.

However i think i had an additional issue anyway, because  the IPS on my firewall module only detects URL-based attacks. An XSS attack where the script is contained in parameters of the request and not in the url will not be blocked.

I have to work on this.

I would but as i discovered trying to do so, i also have a packet capture problem, where the FW module does not capture packets by default, and explicitely enabling it on my threat prevention policy not only does not work but also disables logging for all IPS protections.

I think i will need advanced help from the support, and probably a reinstall since my lab runs on vms with limited storage to install hotfixes.

In VMs, if there is enough storage available, but not used for CP yet, please just follow sk94671 How to add hardware resources, such as log storage, to a VMware Virtual Machine running Gaia... .

Thank you for your  answer, i figured out this was the issue and fixed it in the meantime.

Maybe adding a quick warning that insufficient storage can break some features would be nice, as a total beginner i was under the impression the appliances would delete old logs as time went by, rather than keep accumulating logs and have broken features.

There is an (configurable) automatism to rotate logs, but there is also a suggested free space needed for logging, depending on traffic load, active blades and logs generated. Every troubleshooting sessions first CLI command on SSH should be

# df

as full storage will make the system not work at all...

Good to know, in my specific case i did enable log rotation but i guess i set the threshold too low. I will make sure to check free space requirements for each blade and set the threshold accordingly in case i run into obscure issues again.

We have two concerns: A GW must have log rotation set to a value that leaves enough space for the FW to work. The SMS where the logs are sent to better gets a rather generous amount of free space and we have also to consider SmartEvent if used. The biggest advantage of SMS on ESX is that i am able to add storage whenever i need to, and that the storage is only used when needed (if conmfigured in that way).