Who rated this post

Inspection Settings enforce compliance at the protocol level and are inherent to the basic stateful inspection process; these signatures used to be part of the IPS blade prior to R80 and to some degree are still influenced by IPS settings.  Inspection Settings are not looking for known attacks but protocols being used in a weak way (i.e. no POP3/IMAP password) or protocols being used in a fashion that violates that protocol's standard or an RFC.  Many of them are set to Inactive as some vendors do not strictly adhere to the protocol standards or come up with their own proprietary extensions, thus resulting in false positives.  Once again Inspection settings are not looking for known exploits/attacks, just nonstandard or weak behavior.  Just because traffic matches an Inspection Setting that is Inactive does not automatically mean it is accepted; it can still be dropped by a policy layer rule or some other blade such as APCL/URLF or Threat Prevention.

My interpretation of Inspection Settings protections that are N/A is that these are just placeholders for protections whose behavior is controlled elsewhere from Threat Prevention, or the settings under Global Properties...Advanced...Advanced Configuration...Configure.

In the case of your HTTP traffic matching the HTTP Protocol General protection and being accepted, that just means that the HTTP protocol inspection could not be performed and that traffic bypassed inspection by that Inspection settings signature.  Some other element of the firewall's configuration can still block it later.  This situation qualifies as an inspection engine failure, and by default it is set to fail-open.  If you want it to fail closed change the Fail Mode setting located on Manage & Settings...Blades...Threat Prevention...Advanced Settings to fail-closed.  But be warned that the traffic that formerly bypassed HTTP Protocol Inspection will be immediately denied because the inspection failed, and this may break stuff in your network.