This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AngeloP
Participant
‎2022-05-16 06:02 AM

Threat Prevention Proxied Source IP parsing

Hi,

 

I'm wondering if it's possible to specify additional headers to be used by checkpoint in order to parse and retrieve the proxied source IP field in IPS alerts (other than XFF).

I have a reverse proxy which adds a different http header than X-Forwarded-For (called slightly differently), i suppose CheckPoint parses only the XFF header in order to get the proxied source IP and does not recognize the header from my reverse proxy. Due to it not recognizing that specific header some exclusions will not work, as both the source IP and proxied source ip in the IPS alerts are set to the IP of the reverse proxy itself.

If it would be possible to add additional headers like XFF for proxy source ip parsing that would solve the problem, if that's not possible, are there any other easy solution for exclusions to work properly by configuring checkpoint itself or does this require reconfiguration of the reverse proxy?

Labels
0 Kudos
1 Reply
Wolfgang
Mentor
Mentor
‎2022-05-16 12:07 PM

Setting the XFF header is the standard setting for a webproxy to set the original client IP. I think there is no way to change the analysed header, looking for another then XFF. If you can change your proxy to set standard XFF header this will be the way to go.

0 Kudos