This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
andrzej_starmac
Explorer
‎2018-03-16 06:07 AM

Why Checkpoint is dropping http 302 redirect?

Hi All,

In the setup there is Load Balancer (which upon inital client's http connection is doing 302 http redirect to https site).

After upgrading the software version on the LB, CheckPoint with IPS is dropping that 302 - and is sending TCP Rest packet to Load Balancer and HTTP/1.1 503 Service Unavailable to the client:

HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 768

<HTML><HEAD>
<TITLE>Network Error</TITLE>
</HEAD>
<BODY>
<FONT face="Helvetica">
<big><strong></strong></big><BR>
</FONT>
<blockquote>
<TABLE border=0 cellPadding=1 width="80%">
<TR><TD>
<FONT face="Helvetica">
<big>Network Error (tcp_error)</big>
<BR>
<BR>
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
A communication error occurred: ""
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica">
The Web Server may be down, too busy, or experiencing other problems preventing it from responding to requests. You may wish to try again at a later time.
</FONT>
</TD></TR>
<TR><TD>
<FONT face="Helvetica" SIZE=2>
<BR>
For assistance, contact your network support team.
</FONT>
</TD></TR>
</TABLE>
</blockquote>
</FONT>
</BODY></HTML>

There is a slight difference in http header of that 302 generated by Load Balancer on older and newer version:

1. Older software version of Load Balancer  - CheckPoint not dropping it:
HTTP/1.1 302 Moved Temporarily
Location: https://www.abs.com/
Connection: close
Cache-Control: no-cache
Pragma: no-cache

2. New software version of Load balancer - 302 dropped by Checkpoint 
HTTP/1.1 302 Found : Moved Temporarily
Location: https://www.abs.com/
Connection: close
Cache-Control: no-cache
Pragma: no-cache

Can you advise why IPS is dropping above (2) http 302 ? It does not 'like' colon in the header or something else ?

Thanks,

Andy

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2018-03-16 09:26 AM

Can you post the event from the smartlog for the initial connection and the drop?

How is the load balancer object defined in CP?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-16 03:42 PM

Looks like one of the IPS signatures is thinking the response from the Load Balancer is invalid.

In which case you may want to engage with the TAC so we can adjust the relevant signatures.

Contact Support | Check Point Software 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-18 09:47 AM
In response to PhoneBoy

Some discussion in the background with R&D suggests this is actually an issue with the HTTP Parser.

In which case it will involve a code-level fix, thus you will definitely need to speak with the TAC https://community.checkpoint.com/people/astar5e2fe84e-e920-3831-8ecf-31e66fbaaf62

andrzej_starmac
Explorer
‎2018-03-21 09:46 AM
In response to PhoneBoy

Thanks a lot for your help. 

It looks like issue is with HTTP parser in Checkpoint, RFC does not forbid using ":" (colon) character it Reason Phrase of the 302 HTTP response.

I will not be going via Checkpoint TAC. 

Please pass it on to your engineering if there is interest in fixing this in the end (seem like this code issue was in Checkpoint for many years now)

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-21 12:26 PM
In response to andrzej_starmac

I believe there is already a fix for it.

If you want it, then you will need to get it from TAC.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events