topic Re: Blocking by AntiBot blade. in Firewall and Security Management

Blocking by AntiBot blade.

Matlu — Fri, 29 Dec 2023 22:35:09 GMT

Hello,

I have a question.

I have a traffic that I see in the "log" is being allowed (Action:Detect), but I can't understand "why".
According to the "Profile" defined, the traffic should be "blocked", but in the log, I can see that the traffic is being allowed, and that should not happen, or am I misinterpreting the log?

I want to first understand exactly the log, because my ultimate goal is to "block" traffic from the LAN to the domain "christoher-pelletier.mykajabi.com".

Blocking it by an access rule, or by FQDN, I don't think is an option.

Can you please guide me?

Regards.

Re: Blocking by AntiBot blade.

the_rock — Fri, 29 Dec 2023 23:10:09 GMT

Make sure in gateway object setting is set to "according to policy"

Best,

Andy

Re: Blocking by AntiBot blade.

Matlu — Fri, 29 Dec 2023 23:30:08 GMT

Andy,

I have just checked my Cluster object. I found that it is set to "Detect Only".

So, the custom rules are going to be ignored, as long as I don't change the behaviour in the "Cluster object", right?

Cheers.

Re: Blocking by AntiBot blade.

the_rock — Fri, 29 Dec 2023 23:31:03 GMT

Thats right.

Re: Blocking by AntiBot blade.

Matlu — Sat, 30 Dec 2023 14:08:44 GMT

Hey Bro

What would be the best practice to block a domain like the one I exposed in this post, if the customer still decides not to modify the behavior of the Antibot&Antivirus on the Cluster object (they still want this behavior to stay in Detect mode)?

Is it advisable to block this URL by a FQDN rule (using DOMAINS objects), or is it better to work with the URLF blade?

Greetings.

Re: Blocking by AntiBot blade.

Chris_Atkinson — Sat, 30 Dec 2023 14:24:21 GMT

Best practice is best practice...

FQDN objects and URLF are different approaches.

The later would use a site/category approach.

Re: Blocking by AntiBot blade.

the_rock — Sat, 30 Dec 2023 14:46:44 GMT

Depends who you ask, I guess. Chris is right, its different approaches. I always do it with URLF blade.

Best,

Andy

Re: Blocking by AntiBot blade.

Timothy_Hall — Sat, 30 Dec 2023 14:50:34 GMT

Try to use Custom Site/Application objects whenever possible instead of Domain objects. Only time you should be using Domain objects is if the URL filtering blade is not enabled on the gateway.

Re: Blocking by AntiBot blade.

Matlu — Sat, 30 Dec 2023 16:02:30 GMT

The "Domain Objects" depend on the Blade Firewall, then?

Does the effectiveness of working "URL" "Blocking" with "Domain Objects" depend on DNS?

Greetings.

Re: Blocking by AntiBot blade.

Timothy_Hall — Sat, 30 Dec 2023 18:51:46 GMT

Yes Domain objects are part of the firewall blade, in R80+ for FQDN's it relies on forward DNS lookups, for non-FQDN it relies on reverse DNS lookups which can still be problematic and should be avoided where possible. Custom URL/Site objects match the actual URL site name for HTTP, or the SNI (Server Name Indication) for HTTPS via the URL Filtering blade. For performance reasons you should try to avoid using the "*" character in Custom Site/URL objects, see here for more detail: Custom Sites and RegExp Wildcard Efficiency

Re: Blocking by AntiBot blade.

Matlu — Tue, 02 Jan 2024 18:28:50 GMT

Hello, my friend.

Happy 2024 🙂

I have a curiosity, even if I create explicit rules in the Threat Prevention layer, if my Cluster object is still in "Detect Only" mode, the Firewall will completely ignore my explicit rules, right?

Greetings.

Re: Blocking by AntiBot blade.

the_rock — Tue, 02 Jan 2024 18:30:51 GMT

Feliz ano nuevo!

YES 🙂

Best,

Andy