https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86033#M11135 <P><SPAN>Protocol signatures are used in part of PSL/PXL.</SPAN></P> <P><SPAN>Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.</SPAN></P> <P><SPAN>If you set the protocol it will be analyzed by PSL/PXL&nbsp;to specify the protocol type such as http, ftp, imap, etc.&nbsp;</SPAN></P> <P><SPAN>More read here:</SPAN></P> <P><SPAN><A href="https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Content-Inspection/td-p/41665" target="_self">R80.x Security Gateway Architecture (Content Inspection)</A></SPAN></P> Fri, 22 May 2020 06:08:47 GMT HeikoAnkenbrand 2020-05-22T06:08:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86002#M11133 <P>Forgive me the probably idiotic question but what is the best way to block this:</P> <DIV id="tinyMceEditorHristoGrigorov_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorHristoGrigorov_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="unknproto.PNG" style="width: 265px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/6188i300FDA752E5C7395/image-size/large?v=v2&amp;px=999" role="button" title="unknproto.PNG" alt="unknproto.PNG" /></span></P> <P>&nbsp;</P> Thu, 21 May 2020 15:51:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86002#M11133 HristoGrigorov 2020-05-21T15:51:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86031#M11134 <P>&nbsp;</P> <P>Depending on the specifics you may wish to explore TCP service advanced options further e.g.</P> <P><STRONG>Protocol Signature</STRONG><SPAN>&nbsp;- A unique signature created by&nbsp;</SPAN><SPAN class="Other_Varstp_cp">Check Point</SPAN><SPAN>&nbsp;for each protocol and stored on the&nbsp;</SPAN><SPAN class="Other_Varstp_gw">gateway</SPAN><SPAN>. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.</SPAN></P> <P><SPAN>Refer:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945" target="_blank">https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945</A></SPAN></P> Fri, 22 May 2020 05:44:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86031#M11134 Chris_Atkinson 2020-05-22T05:44:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86033#M11135 <P><SPAN>Protocol signatures are used in part of PSL/PXL.</SPAN></P> <P><SPAN>Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.</SPAN></P> <P><SPAN>If you set the protocol it will be analyzed by PSL/PXL&nbsp;to specify the protocol type such as http, ftp, imap, etc.&nbsp;</SPAN></P> <P><SPAN>More read here:</SPAN></P> <P><SPAN><A href="https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Content-Inspection/td-p/41665" target="_self">R80.x Security Gateway Architecture (Content Inspection)</A></SPAN></P> Fri, 22 May 2020 06:08:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86033#M11135 HeikoAnkenbrand 2020-05-22T06:08:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86181#M11136 What about using the Application Control signature "Unknown Traffic" in a drop rule? Mon, 25 May 2020 04:33:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86181#M11136 PhoneBoy 2020-05-25T04:33:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86182#M11137 <P>Yeah, I am sorry I forgot to follow up.</P> <P>I added both Unknown Traffic application signature and Unknown Traffic application category to a drop rule and that sorted out this issue.&nbsp;</P> <P>Thank you all for your recommendations.</P> Mon, 25 May 2020 04:39:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Block-unknown-protocol/m-p/86182#M11137 HristoGrigorov 2020-05-25T04:39:52Z