topic Re: how do go about blocking a particular resource that i see on the ips log? in Firewall and Security Management

how do go about blocking a particular resource that i see on the ips log?

kb1 — Tue, 21 Sep 2021 17:29:13 GMT

so i see this log on the checkpoint:

How do i go about blocking this resource "syndication.exoclick.com" on port 53? do i need to create a url rule for that? and how would it look like (we have url filtering blade enabled but not https inspection, categorize https inspection is enabled though). And if not url filtering then how else would i block it?

Thank You.

Re: how do go about blocking a particular resource that i see on the ips log?

the_rock — Tue, 21 Sep 2021 17:54:17 GMT

Just my personal opinion...what I would do is create a rule that has a source as custom application/site object and in there, simply add under url list *syndication.exoclick*

I find that doing it that way works 100% of the time, at least from my experience. Slap that as the source, destination any, action block, log and thats it.

Andy

Re: how do go about blocking a particular resource that i see on the ips log?

kb1 — Tue, 21 Sep 2021 18:01:46 GMT

Thanks for replying but shouldn't it be a destination? You say source but it should be destination right?and source should be our internal network? And service selected should be 53?

And just to be clear *syndication.exoclick* will cover the "syndication.exoclick.com" url?

Re: how do go about blocking a particular resource that i see on the ips log?

the_rock — Tue, 21 Sep 2021 18:06:36 GMT

Yes, but my apologies, my first reply is wrong, my bad.

Let me rephrase that...you cant do it as source or dst, you do it under service/application tabs...need more coffee :)). So once you had created that custom app/site, you have a rule like this, just tested it in my lab:

source -> any

destination -> Internet

vpn -> any

services & application -> custom app/site object you create (I named it sundication.exoclick and in "match by" I simply added *syndication.exoclick* and yes, 100% covers anything or any sub domain for that. Its literally if you wanted to block anything facebook under the sun, you could do the same *facebook*. I tried it many times and works like a charm.

action -> block

track -> log

If you have any issues, hit me up and we can do remote.

Re: how do go about blocking a particular resource that i see on the ips log?

kb1 — Tue, 21 Sep 2021 18:08:21 GMT

Oh thank you once again for the quick reply, I will try it out and update here and if it doesn't work I will reach out to you thanks!

Re: how do go about blocking a particular resource that i see on the ips log?

the_rock — Tue, 21 Sep 2021 18:09:52 GMT

Any time!

Re: how do go about blocking a particular resource that i see on the ips log?

the_rock — Tue, 21 Sep 2021 18:17:47 GMT

Forgot to mention, yes, you can also add services to rule like that, so if you ONLY wish to block service with port 53, you can do so, no problem...BUT, just be vigilant not to inadvertently block access to important service for network that should have it, thats all.

Re: how do go about blocking a particular resource that i see on the ips log?

PhoneBoy — Tue, 21 Sep 2021 18:47:09 GMT

Using a custom application/site won’t work for things that aren’t http/https.
It is the sort of thing enabling DNS Trap will help with, which basically rewrites these lookups to “trap” IP addresses.
Note that prior to R81, these events show up as Detect even though they are effectively prevented.