PDA

View Full Version : HTTP Header Length



TRLSecurity
2010-03-10, 12:03
Hi Everyone,

Does anyone know where the HTTP Header Length is set in a Checkpoint UTM-1?

I have a problem where our users cannot access a particular web page. The page does not display, and terminates with an HTTP 400 Bad Request. If I access this page via an independent internet connection (not through a Checkpoint firewall) then the connection is successful.

I contacted the support team for this web page and they informed me that their web site is sometimes not accessible when the HTTP Header Size is too small.

I found reference to HTTP Header Size in the following location:

IPS -> Web Intellegence -> HTTP Protocol Inspection -> HTTP Format Sizes -> Max Header Length Value (2100)

I notice however that this has the Protection Scope set to "Apply to selected web servers" and that there are no web servers listed in this list. I changed the setting to "5000" and saved the policy, but predictably, this did not work, so I set the value back to default "2100".

Does anyone know the correct location of this setting, that affects all HTTP traffic?

Best Regards,
Steve

belvdr
2010-03-10, 12:51
If you check SmartView Tracker, it should detail which protection is causing this behavior.

TRLSecurity
2010-03-10, 13:02
Hi belvdr,

I forgot to mention, examining Smartview Tracker shows that the connection is successful, and no other tracker entries relate to the connection.

The web page is HA GDMS (http://www.hagdms.com), which tends to appear very slowly, but either the login or download pages available from that first page fail completely. I would be interested whether anyone else with a Checkpoint firewall also experiences the page failure.

An example of the tracker entry:

Number: 1674986
Date: 10Mar2010
Time: 16:56:23
Type: Log
Source Port: 1750
Rule: 13
NAT rule number: 16
NAT additional rule number: 0
XlateSrc: Checkpoint (ip deleted)
XlateSPort: 61821
Product: VPN-1 Power/UTM
Resource: http://83.245.79.98:80/index.cfm?fuseaction=login.login&CFID=420&CFTOKEN=11C7B038-A380-4313-B53D5F0D7686BAA7
Interface: daemon
Origin: Checkpoint
Action: Accept
Service: http (80)
Source: <name removed> (ip deleted)
Destination: mailer.hagdms.com (83.245.79.98)
Protocol: tcp
Policy Info: Policy Name: Standard
Created at: Wed Mar 10 16:09:46 2010
Installed from: Checkpoint

lammbo
2010-03-10, 13:17
It just took me a very long time to load that page. All of the content except your embedded gotomeeting (Register Now) button actually loaded very quickly, but it took a long time to load that button. You might want to look into it from that aspect.

Regarding the logs, are you SURE you're not seeing an accept log followed by a drop log from SD/IPS-1? I've had these issues before with intranet pages and I always saw 2 entries as I listed them above.

TRLSecurity
2010-03-10, 13:29
Thanks for trying that page for me. Did you also try the Login or Download page..? What was the result of that?

I'm filtering the Tracker on a destination IP address of 83.245.79.98, which resolves to mailer.hagdms.com in the tracker listing. So unless anything is happening that is not to that IP as a destination, then I'm pretty sure there are no other entries..

Cheers,
Steve

lammbo
2010-03-10, 14:06
Thanks for trying that page for me. Did you also try the Login or Download page..? What was the result of that?

I'm filtering the Tracker on a destination IP address of 83.245.79.98, which resolves to mailer.hagdms.com in the tracker listing. So unless anything is happening that is not to that IP as a destination, then I'm pretty sure there are no other entries..

Cheers,
Steve

Check your logs for SRC 216.235.192.10 instead of filtering DST.


EDIT: This is an evil post (I just hit 666 total posts here) :P

belvdr
2010-03-10, 14:30
I loaded that site very quickly, maybe 1-2 seconds per page. I'm going through R70.20 here.

lammbo
2010-03-10, 14:55
I loaded that site very quickly, maybe 1-2 seconds per page. I'm going through R70.20 here.

Loaded quickly for me now also (wasn't cached)

ShadowPeak.com
2010-03-10, 15:31
If you are running R65 or earlier, please try this (even though it doesn't make any sense):

- Under HTTP Format Sizes signature, set "Apply to all web traffic"
- Enable Max Header Value Length (if not already enabled) and set it to a higher value like 8192
- Install policy to the firewall
- Restore all HTTP Format Sizes settings to what they were before: set "Apply to selected Web Servers" and restore Max Header Length to 2100
- Install policy to the firewall

Has worked for me in the past.

iku899
2010-03-10, 15:55
Thanks for trying that page for me. Did you also try the Login or Download page..? What was the result of that?

I'm filtering the Tracker on a destination IP address of 83.245.79.98, which resolves to mailer.hagdms.com in the tracker listing. So unless anything is happening that is not to that IP as a destination, then I'm pretty sure there are no other entries..

Cheers,
Steve

Hello Steve
try "Global Properties", Smart DashBoard Customization, Configure, Firewall-1, Web security, Tuning, http_buffer_size. Try to raise the number (in my case I had to doubled it to 8192) . Then send policy.

Regards
Ivan

TRLSecurity
2010-03-11, 06:04
Hi Ivan,

Many thanks for letting me know where I set the HTTP Buffer Size. I changed this to 8192 and this problem web page now loads properly. Much appreciated!

Thanks to everyone else for their help too.

Cheers,
Steve

dbrown3611
2010-03-15, 16:39
Hello Steve
try "Global Properties", Smart DashBoard Customization, Configure, Firewall-1, Web security, Tuning, http_buffer_size. Try to raise the number (in my case I had to doubled it to 8192) . Then send policy.

Regards
Ivan

UTM-2070 HA Cluster, NGX R65 HFA40

For several months I've had a nagging issue of a couple web sites not loading for some people. Notably cisco.com IOS download page and dell.premier.com. No useful info in tracker and packet captures obtained using fw monitor showed everything I expected to see.

My http_buffer_size was 4096, I tried increasing it to 8192 on Mar 11. Results thus far have been 100% successful.

Many thanks for the excellent suggestion.

l0wkey
2010-04-01, 16:15
For those of you not using UTM its a signature setting called http format sizes under http protocol inspection under IPS. Modify and push to gateways enforcing