This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
honoriogab
Explorer
‎2024-08-12 03:11 PM

Utilization of IPS protection HTTP Header Patterns

We’re working on blocking traffic to a DMZ server based on the HTTP "User-Agent" header, due to unauthorized access attempts identified in our logs.

We've found the "HTTP Header Patterns" IPS protection under "Threat Prevention" > "Custom Policy Tools" > "IPS Protections," which seems to offer the needed granularity.

We have two questions:

  1. We noticed that this protection can be limited to specific servers via the "Protection Scope," which requires enabling the "Web Server" setting in each host object. How would this configuration impact existing IPS protections?

  2. Most traffic to the targeted server is HTTPS (port 443) and currently isn’t inspected by the firewall. To utilize the "HTTP Header Patterns" protection, is it necessary to enable HTTPS inspection for this traffic?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-08-12 03:43 PM

The images were not included here, FYI. 
While this is configured in IPS, this is a "Core Protection" which means it requires an Access Policy installation for changes to take effect.
Also, the "Web Server" setting (shown here in a host object) only applies to specific "Core Protections" (not general IPS protections).

 image.png
It's impossible to see the HTTP Headers in an HTTPS connection without HTTPS Inspection.
Which means it will need to be configured for this protection to do anything.

0 Kudos
honoriogab
Explorer
‎2024-08-12 03:53 PM
In response to PhoneBoy

Thank you very much for clarifying my question! It was very helpful. Additionally, do you have any documentation that could serve as a reference for this matter?

 

 

 

    

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-12 06:01 PM
In response to honoriogab

Core Protections go back to the SmartDefense days (20+ years ago).
Not sure you still need to do the "Web Server" in the object, however it was necessary back in the day.
That might be why there is no specific documentation related to this.

Almost everything related to Layer 7 inspection of HTTPS traffic requires HTTPS Inspection to be enabled and configured correctly. regardless of feature.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top