Security Gateway might drop traffic:
No. |
IPS Protection / Feature |
Behavior |
General Description |
Comments |
1 |
Non Compliant CIFS |
Traffic is dropped without any log |
In versions lower than R77.10 and in R77.10, such drop could occur if a certain CIFSv1 command is shorter than expected. Usually, but not always, reflects a malformed message. For example, 'SMB_WRITE ' command that is only 3 bytes long.
In versions lower than R77.10, drops could occur in case of multiple concurrent DCE-RPC over CIFS sessions on the same connection. |
Expected Behavior:
- Do not drop the traffic if IPS blade is disabled.
- Issue a log when traffic is dropped.
Contact Check Point Support to get a Hotfix for this issue. |
2 |
SNMP, SNMP Enforcement |
Traffic is dropped, and IPS log is generated |
Even when IPS blade is disabled, SNMPv1 traffic and SNMPv2 traffic will be dropped, and IPS log will be generated, if user has selected 'SNMP_V3 ' in the 'Protocol Type: ' field of a service (right-click on a service - select 'Edit... ' - click on 'Advanced... ' button) and installed policy. |
Expected Behavior:
- User should not be allowed to select IPS Protocol Type for FireWall services.
Planned to be fixed in future versions. |
3 |
HTTP Inspection |
Connection is terminated and IPS log is issued titled as "General Notice " |
In versions lower than R77.10, various Software Blades can instruct HTTP parser to hold the traffic on a specific connection. When TCP timeout occurs for the hold connection, the log is always issued as IPS log, even when the IPS blade is disabled. |
Expected Behavior:
- The Software Blade that called HTTP parser, should issue the log when necessary.
The fix for this issue is included in R77.10.
For versions lower than R77.10, contact Check Point Support to get a Hotfix for this issue. |
4 |
SCCP (Skinny) |
Traffic is dropped, and IPS log is generated |
When the Security Gateway is configured to drop SCCP broadcast traffic, such drops are logged as IPS even when IPS blade is disabled. |
Expected Behavior:
- FireWall log should be issued, if IPS blade is disabled.
Contact Check Point Support to get a Hotfix for this issue. |
5 |
SIP |
Traffic is dropped, and IPS log is generated |
SmartView Tracker logs show that SIP packets are dropped by IPS:
Product: IPS Protocol: udp Attack: Malformed SIP datagram Attack Information: Invalid or no 'CSEQ' field |
Expected Behavior:
- FireWall log should be issued, if IPS blade is disabled.
For more information, refer to sk57060. Contact Check Point Support to get a Hotfix for this issue. |
IPS protections with non-standard activation:
Most of the IPS protections can be configured to be Inactive, to run in Detect mode, or to run in Prevent mode.
There are IPS protections that have to be configured in a different way and cannot be switched between various activation modes in a regular way (each category is elaborated below):
-
Protections with "Details
" action only.
Example:
- Protections that should be manually set to run in "
Detect
" mode and cannot be set to run in "Inactive
" mode.
- Protections that can be configured and set to run in desired activation mode, through advanced protection dialog only.
The following table summarizes IPS protections with "Details
" action only:
No. |
IPS Protection |
Might drop traffic? |
Scenario |
1 |
SIP - General Settings |
Yes |
Configurable to block dynamic ports on different services, timeout, NAT, etc. |
2 |
H.323 - General Settings |
Yes |
Configurable to timeout, Dynamic Pinholing, Dynamic connection opening, etc. |
3 |
MGCP - General Settings |
Yes |
Allow / Disallow certain commands. |
4 |
SCCP - General Settings |
Yes |
Configurable to block dynamic port opening for media channels. |
5 |
Syslog Relay Server List |
No |
Controls behavior of other features, such as: Malicious code protector for syslog. |
6 |
IP Fragments |
Yes |
Configurable to drop incomplete packets after N seconds. |
7 |
Fingerprint Scrambling - General Settings |
No |
Actively change the packet according to configuration. |
8 |
Mail Global Protection Scope |
No |
Configure the scope of the protection. |
9 |
SMTP Content |
Yes |
Configurable maximum of allowed bad commands. Only for R65 version and earlier. |
10 |
Mail and Recipient Content |
No |
Actively change the packet according to configuration. |
11 |
FTP Security Server - General Settings |
No |
Configure the scope of the protection. |
12 |
Microsoft Networks - General Settings |
Yes |
Configurable to strict correctness and scope of the protection. Only for R65 version and earlier. |
13 |
Peer to Peer - Global Exclusion Settings |
No |
Controls behavior of other features. Only for R65 version and earlier. |
14 |
Instant Messengers - Global Exclusion Settings |
No |
Controls behavior of other features. Only for R65 version and earlier. |
15 |
MSN Messenger - General Settings |
No |
Controls behavior of other features. Only for R65 version and earlier. |
16 |
DNS - General Settings |
No |
Controls behavior of other features. |
17 |
VoIP Denial of Service |
Yes |
Enable / Disable protection and configure the amount of calls allowed per minute. |
18 |
H. 323 |
Yes |
Drop H.323 calls that do not start with a 'SETUP ' message. |
19 |
SIP Protections |
Yes |
Verify SIP header content. Blocks Non-compliant SIP Traffic. |
20 |
SIP Custom Properties |
Yes |
Various configuration properties. |
21 |
SIP Filtering |
Yes |
Application filtering - Video / Audio instant messaging, etc. |
22 |
MGCP |
Yes |
Allow / Disallow commands. |
23 |
SCCP (Skinny) |
Yes |
Configurable parameters to drop/reject the traffic. |
24 |
HTTP Protocol - General Settings |
No |
Affects behavior of other legacy Web Intelligence protections. |
25 |
Gzip Enforcement |
Yes |
Configurable parameters. |
The following list summarizes IPS protections that should be manually set to run in "Detect
" mode and cannot be set to run in "Inactive
" mode:
The following Security Gateway protections enforce essential sanity assumptions for protocol parsers.
By design, these protections continue to block traffic even if IPS blade is disabled, as long as one of the Software Blades that require the parser is enabled, and these protections will generate Firewall logs.
If you set the IPS profile to run in "Detect
" mode, these protections remain in "Prevent
" mode. User can manually set these protections to run in "Detect
" mode.
Note: It is highly recommended to keep these protections in "Prevent
" mode. Otherwise, data inspection by Security Gateway might become insecure.
- Stream Inspection Timeout
- TCP Invalid Checksum
- TCP Invalid Retransmission
- TCP Out of Sequence
- TCP Segment Limit Enforcement
- TCP SYN Modified Retransmission
- TCP Urgent Data Enforcement
The following list summarizes IPS protections that can be configured and set to run in desired activation mode, through advanced protection dialog only:
- Dynamic Ports
- Host Port Scan
- SNMP
- Sweep Scan
To change the settings of these protections, double-click on the protection to open the advanced configuration dialog.