Malformed HTTP

[Thiago Formagi]

Hello Guys,

I would like a help from you.

I have a CheckPoint R60 SecurePlatform and my problem is that when the users are doing a

request http for some site, and at this time the SmartDefense returns conection reject,

more details below:

Attack Name: Malformed HTTP
Attack Information: WSE0020001 illegal header format detected: Illegal start

line in request
Type: Log
Action: Reject
Service: http (80)
Source: wks_user (10.0.2.15)
Destination: proxy_server (192.168.10.254)
Protocol: tcp
Source Port: 1393

Does somebody have any idea?

Thank you!

[kva.kva]

Uncheck Web Intelligence > HTTP Protocol Inspection > Enforce strict HTTP request parsing

[Thiago Formagi]

kva.kva

Thank you for your reply.

I Uncheck Web Intelligence > HTTP Protocol Inspection > Enforce strict HTTP request parsing, but doesn't work :( .

The problem occurs when I access a site with https protocol.

Do you have any idea?

[kva.kva]

In cases like that i usually reset web intelligense settings to default and then uncheck reject rule. Try, may be it will be helpful.

[Thiago Formagi]

kva.kva

The IP 192.168.10.254 is a proxy server and it is at network 192.168.10.0/24.

Then the machines the network 10.0.2.0/24 are using the same proxy server the network 192.168.10.0/24.

Why the network 10.0.2.0/24 doesn't work and the network 192.168.10.0/24 work?

How could I do this procedure of reset web intelligense settings to default?

Thank You.

[kva.kva]

Quote:

The IP 192.168.10.254 is a proxy server and it is at network 192.168.10.0/24.

Then the machines the network 10.0.2.0/24 are using the same proxy server the network 192.168.10.0/24.

Why the network 10.0.2.0/24 doesn't work and the network 192.168.10.0/24 work?

Because client from 10.0.2.0 goes through CP to proxy, but clients from 192.168.10.0 lies in one net with proxy (access to proxy not through CP).

What version CP do you use? In NGX select Web Intelligence > Central Configuration > Reset SmartDefence and Web Intelligence to the default configuration.

[Thiago Formagi]

Quote:

What version CP do you use?

I'm using a CheckPoint NGX R60 product.

If I do this, what could be the problems?

My VPNs will go down?

Thank You!

[david]

Quote:

Originally Posted by Thiago Formagi

kva.kva

Thank you for your reply.

I Uncheck Web Intelligence > HTTP Protocol Inspection > Enforce strict HTTP request parsing, but doesn't work :( .

The problem occurs when I access a site with https protocol.

Do you have any idea?

Did you re-install your policy after unchecking?

[pexerox]

Quote:

Originally Posted by kva.kva

What version CP do you use? In NGX select Web Intelligence > Central Configuration > Reset SmartDefence and Web Intelligence to the default configuration.

hi sorry about my intromission
but, i need backup the policies? Or this procedure cause no problems like erase the policies?

tnx

[Thiago Formagi]

Quote:

Originally Posted by david

Did you re-install your policy after unchecking?

I didn't apply the changes after uncheck yet, because i don't know if it will go down my sites VPN and services of Internet.

thank you!

Thiago

[hi_there]

Quote:

Originally Posted by kva.kva

Uncheck Web Intelligence > HTTP Protocol Inspection > Enforce strict HTTP request parsing

I am having the same error too... so by doing what u said will resolve this problem? The other what is the impact if leave uncheck?

By the way what does "enforce strict HTTP request parsing" means

Thanks

[hi_there]

Quote:

Originally Posted by kva.kva

Uncheck Web Intelligence > HTTP Protocol Inspection > Enforce strict HTTP request parsing

Did just that and now the HTTP traffic are going thru

[ericsj]

I have read all three posts on this error (WSE0020001), but I still don't have a solution that works. Enforce Strict HTTP parsing has never been checked. I unchecked "Use Early Version Configuration", but that did not help either.

GoToAssist does work from a select few workstations inside our school district here. On the rest, the failure occurs at the attempt to share the screen (chat window works fine). I understand this to be an error in the Citrix code, and don't want to entirely disable SmartDefense or Web Intelligence just to get around this problem.

Has anyone opened a support case with Checkpoint over this? If so, what was the end result?

Thanks,
Eric

[Coronabeer]

This is so true. GotoAssist and GotoMeeting will only work if you disable Smart Defense and Webdefense. If you go back to its default settings and make sure that GoToMyPc is not blocked it will only work on a selected number of PC's.

The checkpoint forum has nothing on this and so far this is the only forum I have found this on.

Coronabeer

[ericsj]

Thanks, Coronabeer. It's good to know we're not alone in this issue.

I did try resetting SmartDefense and Web Intelligence to defaults, with no success. There are some computers that work consistently, but the vast majority tested do not work. There seems to be no correlation to the Java version on the client workstation.

It certainly would be nice to have an exclusion list, or even a way to disable Malformed HTTP checking. I understand that the problem might be with the Citrix Code, and that ignoring the malformation of the HTTP header might not be a security best practice, but with every other protection there is the ability to disable it. Why not with Malformed HTTP?

Coronabeer, have you spoken to Checkpoint about this yet?

[Coronabeer]

No, I was going to call but from a troubleshooting perspective it seems to be a Gotomypc aka Citrix (Gotoassist and Gotomeeting) issue. I called Gotoassist technical support and they told me that they have been blacklisted by checkpoint. Why? I dont know. They have been working with checkpoint on a permanent solution for this but have yet to come up with any thing.

I think we should see a patch pretty soon.

Other solutions for remote assistance would be the Windows Remote Assistance that comes with Windows XP or Webex.

[bobmarvin]

I have found the solution to this problem (for Windows SmartCenter):

Modify the file: $FWDIR/lib/asm.def


1. Prepare a list of IPs for which you want to bypass WebIntelligence.


2. Backup $FWDIR/lib/asm.def on the SmartCenter.


3. Edit asm.def on the SmartCenter:


*a. Add the following line in the file (This list will represents the problematic IPs.):

Individual IPs

IPList = {<IP1>,<IP2>,<IP3>};

or, ranges of IPs:

List = {<IP_start,IP_end>,<IP_start,IP2_end>};


For example:

List={<1.1.1.1,1.1.1.5>, <2.2.2.2,2.2.3.3>};


b. Find the following line:

#define ACTIVATE_WS_GLOBAL_DEFENSE (tcp, dport in http_services,ADD_INSPECTION(SPII_WEBSEC_ID)) or 1


change it to read as follows:

#define ACTIVATE_WS_GLOBAL_DEFENSE (src not in IPList,dst not in IPList,tcp, dport in http_services,ADD_INSPECTION(SPII_WEBSEC_ID)) or 1


c. Find the following line:

#define ACTIVATE_WS_SERVER_DEFENSE ( tcp, get <dst, dport> from web_server_rules to sr10, ADD_INSPECTION_WITH_PARAMS(SPII_WEBSEC_ID, sr10)) or ACTIVATE_WS_GLOBAL_DEFENSE


change to read as follows:

#define ACTIVATE_WS_SERVER_DEFENSE ( src not in IPList,dst not in IPList,tcp, get <dst, dport> from web_server_rules to sr10, ADD_INSPECTION_WITH_PARAMS(SPII_WEBSEC_ID, sr10)) or ACTIVATE_WS_GLOBAL_DEFENSE


4. Install the policy on the module(s) to activate the changes.

[Coronabeer]

Cool Stuff bob.

Here is the bypass solution I was able to come up with.

1.Disable GotoMypc on Smart Defense and on Webintelligence.

2.Then also disable your peer to peer and Instant Messangers on your Smart Defense. ( I know someone of you don't like this part).

The reason that step 1 will only work for a while or with a couple of users is that the Gotmypc engine uses something similar to the peer to peer and instant messaging, So if you have the peer to peer and instant messaging blocked, it will think that Gotomypc (Gotoassist and gotomeeting) is a Peer to Peer/IM and will tag it with a malformed http packet.

Try it.


I hope this makes sense.

[rrockwell]

We are also experiencing this problem. Has there been any update from Checkpoint on this issue or are we still left with disabling all peer to peer in SmartDefense?

[distorto_666]

We had this issue and were able to figure it out - though a half hour into the meeting...

As noted earlier - the gotomeeting client tries a few ways to connect, first via GoToMyPC ports, then tunneling through an https connection.

We were able to successfully circumvent it by:
1. Ensuring your security policy allows outgoing connections via the GoToMyPC port (tcp 8200)
2. Possibly disabling the Block GoToMyPC entry in SmartDefense - though oddly enough we didn't have to do this.
3. Uninstall the gotomeeting plugin on the client and have them visit gotomeeting again to reinstall. It's listed in 'add/remove programs'.

I assume this 'resets' gotomeeting to reconnect via the gotomypc port instead of trying to tunnel via https which seems to be a real pain to resolve.