Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
honoriogab
Explorer

Utilization of IPS protection HTTP Header Patterns

We’re working on blocking traffic to a DMZ server based on the HTTP "User-Agent" header, due to unauthorized access attempts identified in our logs.

We've found the "HTTP Header Patterns" IPS protection under "Threat Prevention" > "Custom Policy Tools" > "IPS Protections," which seems to offer the needed granularity.

We have two questions:

  1. We noticed that this protection can be limited to specific servers via the "Protection Scope," which requires enabling the "Web Server" setting in each host object. How would this configuration impact existing IPS protections?

  2. Most traffic to the targeted server is HTTPS (port 443) and currently isn’t inspected by the firewall. To utilize the "HTTP Header Patterns" protection, is it necessary to enable HTTPS inspection for this traffic?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The images were not included here, FYI. 
While this is configured in IPS, this is a "Core Protection" which means it requires an Access Policy installation for changes to take effect.
Also, the "Web Server" setting (shown here in a host object) only applies to specific "Core Protections" (not general IPS protections).

 image.png
It's impossible to see the HTTP Headers in an HTTPS connection without HTTPS Inspection.
Which means it will need to be configured for this protection to do anything.

0 Kudos
honoriogab
Explorer

Thank you very much for clarifying my question! It was very helpful. Additionally, do you have any documentation that could serve as a reference for this matter?

 

 

 

    

0 Kudos
PhoneBoy
Admin
Admin

Core Protections go back to the SmartDefense days (20+ years ago).
Not sure you still need to do the "Web Server" in the object, however it was necessary back in the day.
That might be why there is no specific documentation related to this.

Almost everything related to Layer 7 inspection of HTTPS traffic requires HTTPS Inspection to be enabled and configured correctly. regardless of feature.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events