This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
G-
Participant
3 weeks ago
Jump to solution

r81.20 How to create an IPS exception using the 'proxied source ip' field?

We have a WAF (Web Application Firewall) acting as external protection for our internally hosted web servers.

We also have a vulnerability scanner external to our network probing for issues which are generating a large number of IPS alerts.

When I look at the logs, the source IP field is the WAF internal address, and the 'Proxied Source IP' field contains the source IP of the external scanner.

I need to be able to create an exception for these IPS alerts, but there doesn't seem to be a way to specify the proxied source IP field in the exception, you can only seem to use the internal address of the WAF. I can't use this as it would blind us to probes from other external IP's that were getting through the WAF for some reason.

Is there a way to achieve the IPS exception for a specific proxied source IP?

Thx.

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
3 weeks ago
Jump to solution

@G- that's not possible. There was a similar post IPS exception based on Proxied Source IP? - Check Point CheckMates

maybe @Timothy_Hall idea could work. 

View solution in original post

0 Kudos
4 Replies
Wolfgang
Authority
Authority
3 weeks ago
Jump to solution

@G- that's not possible. There was a similar post IPS exception based on Proxied Source IP? - Check Point CheckMates

maybe @Timothy_Hall idea could work. 

0 Kudos
G-
Participant
3 weeks ago
In response to Wolfgang
Jump to solution

Thanks for the response. I tried searching but obviously missed that one. I'll have a look at the idea proposed. Cheers.

Timothy_Hall
Legend Legend
Legend
3 weeks ago
Jump to solution

You also might be able to create a custom Snort IPS rule matching the proxy HTTP header field, import it, then create an exception matching that custom Snort rule with an action of Inactive.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
G-
Participant
3 weeks ago
In response to Timothy_Hall
Jump to solution

Thanks for the additional idea Timothy. To be honest, I doubt I have enough time to learn how to do all that, I'm going to lean on the WAF supplier to create a unique SNAT for the external scanner and 'cheat' 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events