https://live.paloaltonetworks.com/t5/next-generation-firewall/should-we-block-http-range-requests/m-p/584713#M3048 <P>Hi <SPAN style="background: var(--ck-color-mention-background); color: var(--ck-color-mention-text);"><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1005476725">@jonpmoore</a></SPAN> ,</P> <P>&nbsp;</P> <P>Here is a relevant KB regarding <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjPCAW" target="_blank">HTTP range requests</A>. In my opinion, if you aren't experiencing specific issues then it should be set to block.&nbsp;</P> Wed, 24 Apr 2024 02:46:48 GMT JayGolf 2024-04-24T02:46:48Z https://live.paloaltonetworks.com/t5/next-generation-firewall/should-we-block-http-range-requests/m-p/584323#M3023 <P>I have found a few short discussions about how to block range requests, and an article: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJsCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJsCAK</A>.</P> <P>&nbsp;</P> <P>My question is whether we <STRONG>should</STRONG> be blocking them because they present a threat.</P> <P>&nbsp;</P> <P>My understanding is that an HTTP response is scanned in a single pass as it streams through the firewall, and that the most fundamental operation is looking for patterns within the content which indicate a problem with the content.&nbsp; Is it therefore possible for a pattern to be split across the boundary between two HTTP range requests, and not detected?&nbsp; Particularly since the range requests could be submitted multi-threaded, and therefore the later part of the file is actually processed before the earlier part?</P> <P>&nbsp;</P> <P>Essentially: if a file is downloaded by a series of HTTP range requests, possibly not in the natural order, then are we guaranteed the same level of protection as if the file were downloaded using a single request?</P> <P>&nbsp;</P> <P>Any links to definitive product documentation on this would be very welcome.</P> Fri, 19 Apr 2024 10:37:41 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/should-we-block-http-range-requests/m-p/584323#M3023 jonpmoore 2024-04-19T10:37:41Z https://live.paloaltonetworks.com/t5/next-generation-firewall/should-we-block-http-range-requests/m-p/584713#M3048 <P>Hi <SPAN style="background: var(--ck-color-mention-background); color: var(--ck-color-mention-text);"><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1005476725">@jonpmoore</a></SPAN> ,</P> <P>&nbsp;</P> <P>Here is a relevant KB regarding <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLjPCAW" target="_blank">HTTP range requests</A>. In my opinion, if you aren't experiencing specific issues then it should be set to block.&nbsp;</P> Wed, 24 Apr 2024 02:46:48 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/should-we-block-http-range-requests/m-p/584713#M3048 JayGolf 2024-04-24T02:46:48Z