The Admin Rules

Recently one of our sales offices was not able to download postage using their Pitney Bowes postage machine.  I was seeing dropped packets from the machine in our Checkpoint firewall logs.  The logs were stating that SmartDefense was blocking the packets due to an illegal header format detected in the http protocol.

After speaking with the Pitney Bowes technician it was discovered that the machine uses chunked encoding to transmit the sensitive account information to their servers.

It turns out the SmartDefense isn’t so smart after all.  Setting all the HTTP Protocol Inspection pieces of SmartDefense to Inactive didn’t solve the packets being dropped.  In order, to fix this issue I had to set all the HTTP Protocol Inspection pieces of SmartDefense to active and check the monitor only checkbox so as not to actually block the packets.  This in theory would have shown me exactly the SmartDefense rule that had been blocking the transmissions….not the case.  It did allow the chunked encoded packet transmissions to pass through the firewall but it didn’t show me what SmartDefense rule was triggering the block.  On to trial and error…..

Finally, I figured out that in order to fix this issue you must have ASCII Only Response Headers set to active (either active/monitor only or just active).  This will allow the chunked encoded packets through the firewall or at least it has worked for my application. You can find this setting by going into SmartCenter, under the SmartDefense tab > expand Web Intelligence > HTTP Protocol Inspection > set ASCII Only Response Headers to active.  You must re-install the policy after making these changes.

We are running Checkpoint NGX R65.

I hope this helps.

Will