Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AngeloP
Participant

Threat Prevention Proxied Source IP parsing

Hi,

 

I'm wondering if it's possible to specify additional headers to be used by checkpoint in order to parse and retrieve the proxied source IP field in IPS alerts (other than XFF).

I have a reverse proxy which adds a different http header than X-Forwarded-For (called slightly differently), i suppose CheckPoint parses only the XFF header in order to get the proxied source IP and does not recognize the header from my reverse proxy. Due to it not recognizing that specific header some exclusions will not work, as both the source IP and proxied source ip in the IPS alerts are set to the IP of the reverse proxy itself.

If it would be possible to add additional headers like XFF for proxy source ip parsing that would solve the problem, if that's not possible, are there any other easy solution for exclusions to work properly by configuring checkpoint itself or does this require reconfiguration of the reverse proxy?

0 Kudos
1 Reply
Wolfgang
Mentor
Mentor

Setting the XFF header is the standard setting for a webproxy to set the original client IP. I think there is no way to change the analysed header, looking for another then XFF. If you can change your proxy to set standard XFF header this will be the way to go.

0 Kudos