Bypass the web Intelligence by IP

For you Checkpoint NGX Admins out there;

I have seen where sloppy code has cause Web Intelligence to freak out.
-"Invalid lf-cr combination in the http header" error message in the SmartView
Tracker.
-Traffic to TCP port 80 is dropped with above error message when Worm Catcher is
enabled.
-This error appears for normal HTTP traffic and for non HTTP traffic over port 80.

Soultion
-Open $FWDIR/lib/asm.def on the management console (/opt/CPngcmp/lib/base.def for r55)
-add this code with your IP's of the destination site with the sloppy code;
IPList = {<IP1>,<IP2>};
or, ranges of IPs:
List = {<IPfirst>,<IPlast>};
-find this line;
#define ACTIVATE_WS_GLOBAL_DEFENSE (tcp, dport in
http_services,ADD_INSPECTION(SPII_WEBSEC_ID)) or 1
Change it to;
#define ACTIVATE_WS_GLOBAL_DEFENSE (src not in IPList,dst
not in IPList,tcp, dport in http_services,ADD_INSPECTION
(SPII_WEBSEC_ID)) or 1
-find this line;
#define ACTIVATE_WS_SERVER_DEFENSE ( tcp, get from
web_server_rules to sr10, ADD_INSPECTION_WITH_PARAMS
(SPII_WEBSEC_ID, sr10)) or ACTIVATE_WS_GLOBAL_DEFENSE
Change it to;
#define ACTIVATE_WS_SERVER_DEFENSE ( src not in
IPList,dst not in IPList,tcp, get from web_server_rules
to sr10, ADD_INSPECTION_WITH_PARAMS(SPII_WEBSEC_ID,
sr10)) or ACTIVATE_WS_GLOBAL_DEFENSE

This will get rid of Web Intelligence to those IP's




Think about buying me a shot! Maybe even two :)