This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-05-16 06:02 AM

Threat Prevention Proxied Source IP parsing

Hi,

 

I'm wondering if it's possible to specify additional headers to be used by checkpoint in order to parse and retrieve the proxied source IP field in IPS alerts (other than XFF).

I have a reverse proxy which adds a different http header than X-Forwarded-For (called slightly differently), i suppose CheckPoint parses only the XFF header in order to get the proxied source IP and does not recognize the header from my reverse proxy. Due to it not recognizing that specific header some exclusions will not work, as both the source IP and proxied source ip in the IPS alerts are set to the IP of the reverse proxy itself.

If it would be possible to add additional headers like XFF for proxy source ip parsing that would solve the problem, if that's not possible, are there any other easy solution for exclusions to work properly by configuring checkpoint itself or does this require reconfiguration of the reverse proxy?

Labels
0 Kudos
1 Reply
Wolfgang
Authority
Authority
‎2022-05-16 12:07 PM

Setting the XFF header is the standard setting for a webproxy to set the original client IP. I think there is no way to change the analysed header, looking for another then XFF. If you can change your proxy to set standard XFF header this will be the way to go.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events