Archive for the ‘SmartDefense’ Category
We all know thats Smartdefense is a nightmare.
to disable SD http instpection there are two steps:
1/ remove the HTTP handler from your http service (Object Properties ->Advanced-> Protocol Type should be NONE)
2/ option 1 wont turn all SD inspection !! sometimes SD will continue to inspect and drop it, funny …
Connect on your CMA/SmartServer go in $FWDIR/lib and edit asm.def, it has to look like this :
##########################################################
IPList = {X.X.X.X,Y.Y.Y.Y};
#ifndef __asm_def__
#define __asm_def__
//
// (c) Copyright 1993-2004 Check Point Software Technologies Ltd.
// All rights reserved.
//
// This is proprietary information of Check Point Software Technologies
// Ltd., which is provided for informational purposes only and for use
// solely in conjunction with the authorized use of Check Point Software
// Technologies Ltd. products. The viewing and use of this information is
// subject, to the extent appropriate, to the terms and conditions of the
// license agreement that authorizes the use of the relevant product.
//
// $RCSfile: asm.def,v $ $Revision: 1.1.4.1.122.1 $ $Date: 2005/07/12 14:06:16 $
/*CIFS Worm Catcher */
#ifdef ASM_CIFS_WORM_CATCHER
#define CHECK_ASM_CIFS_WORMS
(
dport in cifs_services, tcp,
is_version_at_least(FP4_VER),
(call KFUNC_CIFS_INIT <0, 0, 0, 0, 0, 0> or drop)
) or 1
#else
#define CHECK_ASM_CIFS_WORMS 1
#endif
#define ACTIVATE_CPAS_NOTIFY
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>), ADD_INSPECTION(SPII_CPAS_NOTIFY_ID))
or 1
/*POP3 server protection*/
/* In case of content inspection we skip the FW to Server connection */
#ifdef POP3_SERVER_PROTECTION_DEFINED
#define ACTIVATE_POP3_SERVER_DEFENSE
(
tcp,
get <dst, dport> from pop3_server_rules to sr1,
sr1,
ADD_INSPECTION_WITH_PARAMS(SPII_POP3_ID, sr1)
) or 1
#else
#define ACTIVATE_POP3_SERVER_DEFENSE 1
#endif
/*IMAP server protection*/
#ifdef IMAP_SERVER_PROTECTION_DEFINED
#define ACTIVATE_IMAP_SERVER_DEFENSE
(
tcp,
get <dst, dport> from imap_server_rules to sr1,
sr1,
ADD_INSPECTION_WITH_PARAMS(SPII_POP3_ID, sr1)
) or 1
#else
#define ACTIVATE_IMAP_SERVER_DEFENSE 1
#endif
#define ACTIVATE_MAIL_SERVER_DEFENSE (ACTIVATE_POP3_SERVER_DEFENSE,ACTIVATE_IMAP_SERVER_DEFENSE) or 1
/*Web security global features*/
#ifdef WS_GLOBAL_FEATURES_DEFINED
#define ACTIVATE_WS_GLOBAL_DEFENSE
(
src not in IPList,dst not in IPList,tcp, dport in http_services,
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>) or ADD_INSPECTION(SPII_WEBSEC_ID))
) or 1
#else
#define ACTIVATE_WS_GLOBAL_DEFENSE (1)
#endif
/*Web security server protection*/
#ifdef WS_SERVER_PROTECTION_DEFINED
#define ACTIVATE_WS_SERVER_DEFENSE
(
src not in IPList,dst not in IPList,tcp, get <dst, dport> from web_server_rules to sr10,
((is_version_at_least(NGXENF_VER),call KFUNC_IS_NOTIFY<>) or ADD_INSPECTION_WITH_PARAMS(SPII_WEBSEC_ID, sr10))
) or ACTIVATE_WS_GLOBAL_DEFENSE
#else
#define ACTIVATE_WS_SERVER_DEFENSE ACTIVATE_WS_GLOBAL_DEFENSE
#endif
/*P2P blocking*/
#include “p2p_block.def”
#endif
##########################################################
on the fly change (no reboot required)
fw ctl set int fwtcpstr_max_window 65536
Reboot persistent with :
echo “fwtcpstr_max_window=65536″ > /opt/CPsuite-R65/fw1/boot/modules/fwkern.conf
sk30905