topic Block IP but not FQDN in Firewall and Security Management

Block IP but not FQDN

h2k — Wed, 15 Dec 2021 16:21:36 GMT

Hi Checkmates,

Can we block the network traffic to the IP, but allow if the traffic is pointing to a FQDN?

The idea here is to block the scanners looking for public IPs for open ports.

If so, ho can we achieve that ? The software version used here is R80.40

Thanks,

Hari

Re: Block IP but not FQDN

Bob_Zimmerman — Wed, 15 Dec 2021 17:06:12 GMT

There's not a way to do that, no. Connections are always to an IP address. The firewall can't tell if somebody else got the IP address by picking a number or by looking up a name.

You could set up canary ports or addresses. For example, if a client out on the Internet tries to connect to port 80 when you only offer HTTPS, block them for some period of time. Or reserve an IP at the end of your address range and declare it will never be used, and never put in DNS. Then if a client tries to connect, you know it's a scan and you can block them. They will get results until they hit the canary, but that's probably not avoidable.

Re: Block IP but not FQDN

Wolfgang — Wed, 15 Dec 2021 19:36:45 GMT

You can use SmartEvent to block those scanners. There is a protection available to block scanners for time x if detected.

Re: Block IP but not FQDN

h2k — Wed, 15 Dec 2021 20:14:50 GMT

Thanks! What are the best practices to implement SmartEvent within Checkpoint?

Re: Block IP but not FQDN

h2k — Wed, 15 Dec 2021 20:15:51 GMT

Thanks! Do we have any other best practices to detect and block the suspicious traffic?