CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 3 of 3

Thread: Non HTTP Traffic over HTTP port: Invalid character

  1. #1
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    146
    Rep Power
    11

    Default Non HTTP Traffic over HTTP port: Invalid character

    - Smart-1 225 SMS
    - Two 5800 Active/Standby clusters
    - All running R77.30 Build 092 with Jumbo HFA 286

    In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately started seeing traffic being blocked to our web servers in DMZ. Being unable to determine why so much incoming traffic was caught by this protection, we set it to "Detect" and opened support ticket with our 3rd party support provider. They were unable to determine if this was a legitimate block or a false positive. They escalated to Check Point on August 11. All requests for information have been met in a timely manner.

    It is now two months on and no determination has been provided. I have twice asked for escalation within Check Point support. I have engaged my regional Check Point Account Rep and Security Engineer. None of this has led to anything beyond updates stating "we are still looking at the problem". This leaves my management asking if we are receiving good value for the annual fees we pay to use Check Point products. I continue to answer in the affirmative.

    The point of this post is to see if others in the community have similar behavior with inspections for "Non HTTP Traffic over HTTP port", and if so are they false positives. More so to ask, how does one get a determination out of Check Point support when methods used above are ineffective?

    Kind regards,
    dbrown

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,088
    Rep Power
    12

    Default Re: Non HTTP Traffic over HTTP port: Invalid character

    Quote Originally Posted by dbrown3611 View Post
    - Smart-1 225 SMS
    - Two 5800 Active/Standby clusters
    - All running R77.30 Build 092 with Jumbo HFA 286

    In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately started seeing traffic being blocked to our web servers in DMZ. Being unable to determine why so much incoming traffic was caught by this protection, we set it to "Detect" and opened support ticket with our 3rd party support provider. They were unable to determine if this was a legitimate block or a false positive. They escalated to Check Point on August 11. All requests for information have been met in a timely manner.

    It is now two months on and no determination has been provided. I have twice asked for escalation within Check Point support. I have engaged my regional Check Point Account Rep and Security Engineer. None of this has led to anything beyond updates stating "we are still looking at the problem". This leaves my management asking if we are receiving good value for the annual fees we pay to use Check Point products. I continue to answer in the affirmative.

    The point of this post is to see if others in the community have similar behavior with inspections for "Non HTTP Traffic over HTTP port", and if so are they false positives. More so to ask, how does one get a determination out of Check Point support when methods used above are ineffective?

    Kind regards,
    dbrown
    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal character(s) are tripping the signature?

    Is there any indication in the error message as to whether the invalid character is in the URL, request header, or response header? That might provide some valuable insight. I'm thinking the "ASCII Only Request" and "ASCII Only Response Headers" Protections might be related as well.

    Also check out sk117392 if you haven't already.
    Last edited by ShadowPeak.com; 2017-10-16 at 19:55.
    --
    My Book "Max Power: Check Point Firewall Performance Optimization"
    Second Edition Coming Soon

  3. #3
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    146
    Rep Power
    11

    Default Re: Non HTTP Traffic over HTTP port: Invalid character

    Quote Originally Posted by ShadowPeak.com View Post
    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal character(s) are tripping the signature?

    Is there any indication in the error message as to whether the invalid character is in the URL, request header, or response header? That might provide some valuable insight. I'm thinking the "ASCII Only Request" and "ASCII Only Response Headers" Protections might be related as well.

    Also check out sk117392 if you haven't already.
    Thank you for the response.

    - Packet captures have been taken, invalid characters have not been identified. It would seem this is the key to a solution.
    - We have ASCII Only Request enabled, this was disabled on one cluster for testing, no affect on preventing the IPS protection from triggering.
    - SK117392, early on when troubleshooting with 3rd party support provided, strict parsing was set to "0", again no affect on preventing the IPS protection from triggering, so it was returned to "1".

Similar Threads

  1. HTTP Connect Command found in HTTP request
    By mac123 in forum Web Security Blade (Formerly Web Intelligence)
    Replies: 3
    Last Post: 2008-03-07, 14:50
  2. by pass http content inspection for http
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2008-02-21, 12:18
  3. by pass http content inspection for http
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-02-21, 09:36
  4. HTTP Requests dropped, reason Malformed response resource http://x.y.z.w:80/
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-13, 23:29
  5. HTTP Security Server with HTTP Proxy Servers
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-13, 14:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •