CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 3 of 3

Thread: Non HTTP Traffic over HTTP port: Invalid character

  1. #1
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    146
    Rep Power
    11

    Default Non HTTP Traffic over HTTP port: Invalid character

    - Smart-1 225 SMS
    - Two 5800 Active/Standby clusters
    - All running R77.30 Build 092 with Jumbo HFA 286

    In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately started seeing traffic being blocked to our web servers in DMZ. Being unable to determine why so much incoming traffic was caught by this protection, we set it to "Detect" and opened support ticket with our 3rd party support provider. They were unable to determine if this was a legitimate block or a false positive. They escalated to Check Point on August 11. All requests for information have been met in a timely manner.

    It is now two months on and no determination has been provided. I have twice asked for escalation within Check Point support. I have engaged my regional Check Point Account Rep and Security Engineer. None of this has led to anything beyond updates stating "we are still looking at the problem". This leaves my management asking if we are receiving good value for the annual fees we pay to use Check Point products. I continue to answer in the affirmative.

    The point of this post is to see if others in the community have similar behavior with inspections for "Non HTTP Traffic over HTTP port", and if so are they false positives. More so to ask, how does one get a determination out of Check Point support when methods used above are ineffective?

    Kind regards,
    dbrown

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,084
    Rep Power
    12

    Default Re: Non HTTP Traffic over HTTP port: Invalid character

    Quote Originally Posted by dbrown3611 View Post
    - Smart-1 225 SMS
    - Two 5800 Active/Standby clusters
    - All running R77.30 Build 092 with Jumbo HFA 286

    In early August we enabled IPS protection for Non HTTP Traffic over HTTP port, immediately started seeing traffic being blocked to our web servers in DMZ. Being unable to determine why so much incoming traffic was caught by this protection, we set it to "Detect" and opened support ticket with our 3rd party support provider. They were unable to determine if this was a legitimate block or a false positive. They escalated to Check Point on August 11. All requests for information have been met in a timely manner.

    It is now two months on and no determination has been provided. I have twice asked for escalation within Check Point support. I have engaged my regional Check Point Account Rep and Security Engineer. None of this has led to anything beyond updates stating "we are still looking at the problem". This leaves my management asking if we are receiving good value for the annual fees we pay to use Check Point products. I continue to answer in the affirmative.

    The point of this post is to see if others in the community have similar behavior with inspections for "Non HTTP Traffic over HTTP port", and if so are they false positives. More so to ask, how does one get a determination out of Check Point support when methods used above are ineffective?

    Kind regards,
    dbrown
    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal character(s) are tripping the signature?

    Is there any indication in the error message as to whether the invalid character is in the URL, request header, or response header? That might provide some valuable insight. I'm thinking the "ASCII Only Request" and "ASCII Only Response Headers" Protections might be related as well.

    Also check out sk117392 if you haven't already.
    Last edited by ShadowPeak.com; 2017-10-16 at 19:55.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  3. #3
    Join Date
    2007-10-31
    Location
    Great Plains - USA
    Posts
    146
    Rep Power
    11

    Default Re: Non HTTP Traffic over HTTP port: Invalid character

    Quote Originally Posted by ShadowPeak.com View Post
    Were you able to check "Capture Packets" on the "HTTP on Non Standard Ports" signature and get a capture of the packet containing the offending character(s)? Do you know what actual illegal character(s) are tripping the signature?

    Is there any indication in the error message as to whether the invalid character is in the URL, request header, or response header? That might provide some valuable insight. I'm thinking the "ASCII Only Request" and "ASCII Only Response Headers" Protections might be related as well.

    Also check out sk117392 if you haven't already.
    Thank you for the response.

    - Packet captures have been taken, invalid characters have not been identified. It would seem this is the key to a solution.
    - We have ASCII Only Request enabled, this was disabled on one cluster for testing, no affect on preventing the IPS protection from triggering.
    - SK117392, early on when troubleshooting with 3rd party support provided, strict parsing was set to "0", again no affect on preventing the IPS protection from triggering, so it was returned to "1".

Similar Threads

  1. HTTP Connect Command found in HTTP request
    By mac123 in forum Web Security Blade (Formerly Web Intelligence)
    Replies: 3
    Last Post: 2008-03-07, 14:50
  2. by pass http content inspection for http
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 4
    Last Post: 2008-02-21, 12:18
  3. by pass http content inspection for http
    By cciesec2006 in forum Check Point SecurePlatform (SPLAT)
    Replies: 0
    Last Post: 2008-02-21, 09:36
  4. HTTP Requests dropped, reason Malformed response resource http://x.y.z.w:80/
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-13, 23:29
  5. HTTP Security Server with HTTP Proxy Servers
    By Barry J. Stiefel in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-13, 14:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •