topic Re: Issues with fail open settings in Firewall and Security Management

Issues with fail open settings

Jagan23 — Mon, 08 Jul 2024 09:03:17 GMT

The current configuration is a fail-open which means that the traffic will be allowed in case the URL will be unknown.

Changing to a fail-close will have impact on all the environment since all the HTTPS traffic toward website with unknown reputation will be blocked until the checkpoint receive a status on those websites.

We are getting bombarded with alerts from SOC, when ever a user logins to a DC, stating that he has accessed a malicious URL.

I believe this is because of the fail-open settings. Is there any customization that can be done to prevent this from happening. Please check and let me know.

Some of the URL's reported are below,

media[.]jtdwjcwq6f4wp4ce[.]com

ns1[.]telecom-info[.]com

Re: Issues with fail open settings

PhoneBoy — Mon, 08 Jul 2024 19:08:14 GMT

The fail open/closed settings apply when you cannot reach the URL Filtering backend (or some other error related).
Uncategorized URLs can be blocked, but this is done in the Access Policy.

One of the URLs reported definitely looks suspicious:

Re: Issues with fail open settings

Jagan23 — Mon, 08 Jul 2024 19:35:46 GMT

That is some of the URL's I listed. I think this is happening when ever domain controllers do DNS query. Since we have fail-open setting all the URL's are allowed. Is there a way to specifically block these malicious URL while doing DNS queries. Please let me know.

Re: Issues with fail open settings

Lesley — Mon, 08 Jul 2024 21:30:29 GMT

I don't get this part:

when ever a user logins to a DC, stating that he has accessed a malicious URL

How does the drop look on the firewall? I assume it is dropped there? Or how does it look what this SOC is getting?

Re: Issues with fail open settings

PhoneBoy — Wed, 10 Jul 2024 17:10:10 GMT

The Anti-Virus DNS Trap feature.
https://support.checkpoint.com/results/sk/sk74060

Re: Issues with fail open settings

Jagan23 — Mon, 15 Jul 2024 14:14:45 GMT

Most of the connections are dropped but some are being allowed. The problem is we keep getting these alerts from SOC every two days once. Mostly the source points to a Domain controller. And when we checked with the username mentioned by the SOC the user is not aware of visiting any such URL's. The username is captured based on who logged into the DC at that specific duration. I have attached the SOC details for reference.

Re: Issues with fail open settings

Jagan23 — Mon, 15 Jul 2024 14:15:22 GMT

Thank you so much. I will try this and let you know if it works.

Re: Issues with fail open settings

PhoneBoy — Mon, 15 Jul 2024 20:45:38 GMT

I assume this Domain Controller is used by your clients as their DNS server.
Unless the gateway can see the client making the DNS request, it has no way of knowing who made the request in this case.
It logs the information it has at the time, namely whichever admin is logged into the system at the time.

Re: Issues with fail open settings

Lesley — Mon, 15 Jul 2024 20:52:27 GMT

What Phoneboy stated. Is this the flow?

Client -> dns request -> DC server -> DC sends DNS requested to it's forward DNS (this traffic will pass via firewall)

SOC get's logs from firewall and DC? Or only firewall? I think IA blade will see the user's logged into DC. But they have nothing to do with the traffic because it is not send by them. Also I hope users do not login to the actual DC server itself right? (with rdp)

Re: Issues with fail open settings

Jagan23 — Wed, 17 Jul 2024 15:01:40 GMT

Yes this is absolutely right. That is what happening and we are unable to see who is making those DNS requests

Re: Issues with fail open settings

Jagan23 — Wed, 17 Jul 2024 15:02:53 GMT

The flow is correct. The log source is only from Firewall. People login to DC using RDP. That's when these DNS queries are taking place.

Re: Issues with fail open settings

PhoneBoy — Wed, 17 Jul 2024 18:13:19 GMT

For any system where multiple users are involved, you need to install the Multi-User Host agent (MUHv2).
Whether they should be logging directly into the Domain Controller is a separate question.

Re: Issues with fail open settings

Jagan23 — Wed, 17 Jul 2024 18:22:45 GMT

Thanks for the response. So, the only option to see who is making those DNS requests is through gateway. Please advise.

Re: Issues with fail open settings

the_rock — Wed, 17 Jul 2024 18:26:13 GMT

Just curious, did this ever work right with the same settings...or no?

Andy

Re: Issues with fail open settings

Jagan23 — Wed, 17 Jul 2024 18:28:59 GMT

I am not sure. I joined this organization recently and I am onboarding systems to our new SOC vendor. That's when I started to see these alerts. But I am unable to find anything in firewall. However, when the email comes from SOC they say the log source is checkpoint.

Re: Issues with fail open settings

the_rock — Wed, 17 Jul 2024 18:34:53 GMT

I would follow what Phoneboy gave...

Andy

https://support.checkpoint.com/results/sk/sk74060

Re: Issues with fail open settings

PhoneBoy — Wed, 17 Jul 2024 22:00:20 GMT

If you want to see who made a specific DNS request, that request must traverse the gateway before it reaches the DNS server (either internal or external).
And, of course, Identity Awareness is configured and working.