https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272370#M103760 <P>Hi,<BR /><BR />Can't you use Application Control. There is a Windows NTLM application there.<BR /><BR />"Windows Challange/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system on stand-alone systems."<BR /><BR />Category: Network Protocols<BR />Risk: Low (2)<BR /><BR />Or did you already tried that?<BR /><BR />Martijn<BR /><BR /><BR /><BR /><BR /><BR /><BR /></P> Tue, 03 Mar 2026 14:57:16 GMT Martijn 2026-03-03T14:57:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272366#M103757 <P>Hi everyone,</P><P>Is there a way to monitor all NTLM authentication traffic going through my network?</P><P>I couldn’t find a way to identify it using HTTPS Inspection.</P><P>I need to detect and later enforce a full block on all NTLM authentication traffic.</P><P>Has anyone done this before?<BR /><BR /></P> Tue, 03 Mar 2026 14:27:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272366#M103757 Rodrigo_Silva 2026-03-03T14:27:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272367#M103758 <P>Are you using IPS? If yes maybe to compile a snort rule to detect ntlm auth over https would be an idea?</P> Tue, 03 Mar 2026 14:44:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272367#M103758 Vincent_Bacher 2026-03-03T14:44:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272370#M103760 <P>Hi,<BR /><BR />Can't you use Application Control. There is a Windows NTLM application there.<BR /><BR />"Windows Challange/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system on stand-alone systems."<BR /><BR />Category: Network Protocols<BR />Risk: Low (2)<BR /><BR />Or did you already tried that?<BR /><BR />Martijn<BR /><BR /><BR /><BR /><BR /><BR /><BR /></P> Tue, 03 Mar 2026 14:57:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272370#M103760 Martijn 2026-03-03T14:57:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272373#M103761 <P>Yes, I already tried it but it didn’t detect anything.</P> Tue, 03 Mar 2026 15:04:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272373#M103761 Rodrigo_Silva 2026-03-03T15:04:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272374#M103762 <P>Yes, I have IPS enabled, but I’ve never worked with Snort rules before. I’ll look into it. Thanks for the tip.</P> Tue, 03 Mar 2026 15:07:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272374#M103762 Rodrigo_Silva 2026-03-03T15:07:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272707#M103886 <P>Thank you for the tip.</P><P>I created the rule below and was able to detect and prevent NTLM traffic&nbsp;using the IPS blade.</P><P>alert tcp any any -&gt; any $HTTP_PORTS (msg:"NTLM authentication over TCP"; flow:to_server,established; content:"Authorization|3a|"; nocase; http_header; content:"NTLM"; nocase; distance:0; within:64; http_header; classtype:policy-violation;)</P><P>Of course, I also had to enable HTTPS Inspection for the internal network.</P><P>Best regards</P> Fri, 06 Mar 2026 15:45:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Detect-and-prevent-NTLM-traffic/m-p/272707#M103886 Rodrigo_Silva 2026-03-06T15:45:24Z