WSE0020001 illegal header format detected

[bobgandalf]

Hello,

I have problem enabling Web-Intelligence.
When enabled this feature will block legal HTTPS (port 443) traffic to my webmail server. Here the log:

Attack Name: Malformed HTTP
Information: reason: ^V^C
Attack Information: WSE0020001 illegal header format detected: Illegal start line in request

Any idea on how to use the Web Intelligence without blocking this traffic?

(Checkpoint NGX R60 on Windows)
Thanks, Bob.

[kva.kva]

https://secureknowledge.checkpoint.c....do?id=sk26440

Clear the box "Enforce strict HTTP request parsing".

[bobgandalf]

Sorry, the box has always been unchecked.
I tried to check/uncheck and install ... but no way.
Still have the same problem.

[kva.kva]

Try to uncheck all HTTP Protocol Inspection options for experiment or set monitor only.

[bobgandalf]

Unchecked all the HTTP protocol inspection options. The traffic is still blocked/monitor-only.
The log change as:

Action: Monitor Only
Service: https (443)
Rule: 14
Attack Name: Malformed HTTP
Information: service_id: https
Attack Information: Error parsing HTTP sub-header
Rule UID: {E2054E15-E0FF-4561-906D-9063624CF854}

Rule 14 is: any --> webmailserver https Accept

Why FW complains "Malformed HTTP" when using HTTPS ?

There should be a way to configure some "exception" in the WebIntelligence engine, so I can insert the "legal" content and not have it blocked.

[masterloo]

The only way I've found you can work around this problem is by changing the service specific protocol type used (squidntlm,etc) to NONE. Web Intelligence checks have no impact.

Regards,
Ryan Huggins

[crucial]

Does anyone have any other information on this? I am running into this with my http traffic. I dont want to change my http object to match 'None' in the traffic type, due to the potential impact.

[manfred.huels]

Uncheck in "Web Intelligence"-Tab -> HTTP Protocol Inspection -> "Ascii Only Request" and "Ascii only response header".
Caution: You really need to "uncheck". Monitoring only does not help.

[speculatrix]

I found this thread whilst trying to fix a problem where desktops couldn't see the remote proxy over tcp-8080. Despite verifying that my "http-proxy-tcp8080" service didn't have the "http" protocol ticked, the firewall was still inspecting the protocol and killing access to https websites with a bad header log.

I have to change the global Web Intelligence properties so as to disable "ASCII Only Request" and "ASCII Only Response Headers", and then it worked!

sigh.