Hi,
Setting the HTTP format sizes to zero / disabling them had no effect for me,
but disabling the "worm capture" feature did assist a little (on the
SmartDefence errors)..
However, as this issue seems to effect far too many sites & even internal
services (over VPN)
I have had to revert back to HFA-04 once more.
(Plus I don't really want to run without "worm capture" &/or HTTP size
checking!)
These were the three main / constant log type errors with HFA-05 installed.
Information: message_info: Illegal LF-CR combination in HTTP header
(SmartDefense)
Information: message_info: Line in HTTP request too long (Firewall-1)
Attack Name: Malformed HTTP
Information: Attack Info: URL too long (SmartDefense)
With HFA-04, everything works as normal, and much faster too!!!
Wayne.
----- Original Message -----
From: "Thomas" <thomas AT DYNASAFE.COM DOT TW>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Thursday, July 21, 2005 12:47 AM
Subject: Re: [FW-1] HFA-05 on IPSO 3.8.1 issues - "http request too long"
Try to disable "worm capture". It should be a bug of the 3.81 HFA05.
Warrington Bruce - bwarri wrote:
Did you try completely disabling HTTP format sizes in Smart Defense all
together, (setting them to zero), and turning off all HTTP header /
response checking, just to prove if it's that part of Smart Defense
that's causing the issue or not?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Wayne
Clemit
Sent: Wednesday, July 20, 2005 15:38
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] HFA-05 on IPSO 3.8.1 issues - "http request too long"
Hi,
Since applying HFA-05 to our Nokia platforms (Running IPSO 3.8.1
Build033 & NG-AI R55 for IPSO 3.8) we are experiencing lot's of
"message_info: Line in HTTP request too long" errors in the event log.
(Note: I did actually upgrade IPSO from 3.8.1 Build028 just prior the
HFA05 installation if that has any bearing)
Sample Log entry.
Number: 1384604
Date: 20Jul2005
Time: 19:44:36
Product: VPN-1 & FireWall-1
Interface: eth1c0
Origin: gateway (x.x.x.x)
Type: Log
Action: Reject
Protocol: tcp
Service: http (80)
Source: Host-PC (10.0.1.1)
Destination: 205.157.85.40
Source Port: 4440
Information: message_info: Line in HTTP request too long
We also have numerous SPLAT boxes throughout the network (NG-AI R55 /
HFA-15) that do not have these issues (managed by the same Management
server (Windows 2000 SP4 / HFA-15)
I have amended the Smartdefence settings - Application Intelligence -
web - http protocol inspection - http format size, settings and even the
"http_max_url_length" within the global properties, all to no avail.....
Any clues / workarounds greatly appreciated.
Cheers,
Wayne.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
