topic Re: How do you manage Check Point DNS requests logging in Cisco Umbrella in Firewall and Security Management

How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Mon, 21 Apr 2025 19:19:15 GMT

We have Check Point gateways and the majority of our log in Umbrella are from our gateways. How are others managing this? It almost makes the Cisco Umbrella logs unusable because the gateway trying to check the DNS to come to a determination if the site is good which then doubles the logs in Umbrella. We also noticed the updatable objects might be causing increased Umbrella logging as well.

Is anyone else dealing with this or have dealt with this issue between Check Point and Cisco Umbrella?

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

the_rock — Mon, 21 Apr 2025 19:47:26 GMT

Logically, sounds like best option would be to limit whats being logged on CP side, ie maybe disable logging on certain rules that would be causing this. Its been ages since I worked on Cisco umrella, but I dont recall any options to limit something like this on their end.

Andy

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Mon, 21 Apr 2025 19:50:53 GMT

The abundance of logging is from the Check Point DNS queries to Umbrella which then creates a log for each DNS request in Umbrella. This is causing the logs within Umbrella to be flooded with CP gateway DNS queries. Hopefully that further clarifies the issue we are seeing. Thanks!

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

PhoneBoy — Mon, 21 Apr 2025 20:05:25 GMT

The gateway needs to use DNS for various functions.
You could configure the gateway to use a different DNS resolver, but then you might have issues with things like Updatable Objects.

Can't you just disable logging for queries from the gateway on the Cisco Umbrella side?

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Mon, 21 Apr 2025 20:10:16 GMT

We've done this partially via a service account exclusion since some logs from CP were showing up as originating from our CP service account. The next step is entering in IP exclusions, but we have a lot of IPs to enter from our CP deployments.

I didn't know if anyone else is doing this any differently.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

the_rock — Mon, 21 Apr 2025 22:02:53 GMT

To me, that would seem to be the best way.

Andy

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

the_rock — Tue, 22 Apr 2025 01:05:15 GMT

For what its worth, though I have a need to say this now, AI answers should be taken with a grain of salt, but I "ran" your question through chatgpt, since AI Copilot told me this is not strictly CP related, below is what I got from chatgpt.

Andy

**************************

Managing Check Point DNS request logging in Cisco Umbrella typically involves making sure that your DNS traffic — which may originate from Check Point appliances or networks protected by them — is properly redirected to and logged by Cisco Umbrella. Here's how you'd go about setting it up and managing the logging:

🔧 1. Redirect DNS Traffic from Check Point to Cisco Umbrella

To log DNS requests in Cisco Umbrella, you need to ensure that DNS queries from your network are sent to Umbrella's DNS servers:

Cisco Umbrella DNS IPs:
- 208.67.222.222
- 208.67.220.220

✅ On Check Point:

You need to configure the firewall/NAT rules to intercept and redirect DNS queries (UDP/53 and TCP/53) to Umbrella:

Create a NAT Rule:
- Original Source: Internal networks
- Original Destination: Any
- Original Service: DNS (UDP/TCP 53)
- Translated Source: Original
- Translated Destination: Cisco Umbrella DNS IPs
- Translated Service: Original
Create an Access Control Policy Rule to allow the traffic.

Alternatively, use DNS forwarding if you're running a local DNS server — point it to Cisco Umbrella.

📝 2. Enable DNS Logging in Umbrella Dashboard

Once DNS traffic is being sent to Umbrella:

Go to Cisco Umbrella Dashboard → Activity Search.
Make sure your policy is set to log all DNS requests, including allowed and blocked ones.
- Navigate to Policies → choose your policy → Logging.
- Set it to: Log all requests (Full logging)

📈 3. Verify & Monitor Logs

Use the Activity Search and Reports tabs in Umbrella to:

Monitor DNS requests by source IP, identity, domain, or category.
Export logs if needed.
Optionally, configure Log Export to a SIEM using Umbrella’s Log Exporter or Amazon S3 bucket integration.

🔍 4. Troubleshooting Tips

Make sure no DNS queries are bypassing Umbrella (e.g., clients using hardcoded DNS).
Enable DNSCrypt or DNS-over-HTTPS (DoH) on compatible clients for security, if required.
In Check Point, use SmartLog or SmartView to verify that DNS traffic is being NAT-ed correctly.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Nüüül — Tue, 22 Apr 2025 12:46:00 GMT

Hello

what i understand:

your Check Point gateways are using Umbrella DNS Resolvers for DNS

your internal network is using it´s own (internal) DNS Servers, which then are using Umbrella as "Upstream resolver".

In umbrella both "use cases" are logged (worst, with same configured "identity" as source IP)?

Depending on your umbrella subscription, for your internal dns servers using a umbrella VA as resolver (which then resolves via cisco) might be able to differentiate the requests sources.

For me I am doing something similar with a customer. using a pair of Umbrella VAs as internal resolver and letting their gateways speak directly to umbrella.

At least you can now set a filter on what is interesting to you.

When i got you wrong, please correct me.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 14:35:16 GMT

It's certainly working, I've just got too many logs in Umbrella from CP! Thanks again @the_rock !

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 14:37:38 GMT

Very nice, when you say you're letting the gateways use Umbrella directly do you mean you're setting the gateway DNS servers to Umbrella public IPs? Thanks @Nüüül !

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

the_rock — Tue, 22 Apr 2025 14:39:52 GMT

Well, thank Chatgpt 😉

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Nüüül — Tue, 22 Apr 2025 15:00:09 GMT

Thats what i understood, you are already doing 😄

So, as an example:

Gateways are using 208.67.220.220/208.67.222.222 (or for ipv6 2620:119:35::35 / 2620:119:53::53)
- their public IPs are registered as "Network"

internally there are 2 virtual appliances of umbrella installed - lets say 10.0.0.35 and 10.0.0.53
- these are registered to the umbrella account (can be found at "sites and active directory")
- internal servers and so on are using these appliances

With this, gateways can resolve internet destinations via umbrella and umbrella admin can exclude "Network" addresses in their log searches.

Another way would be to use the virtual appliances for your gateways too (depends on how many branches and so on you have). For instance, when you need internal name resolving. The VA sends the internal requesting IP with it´s logs too, so that would be another way to filter.

I hope it is kind of clear what i meant, if not, drop me a dm and we can discuss on your needs and so on.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 15:05:29 GMT

We are using the Cisco Umbrella VA's (CUVA) for everything and are getting too many logs in Umbrella. CP is essentially doubling up everything since the CUVA is resolving and the gateways are similarly resolving for their protections, from what I understand, as well as everything else CP is needing to resolve for updatable objects and the like.

When setting up the gateways to use the Umbrella public, instead of the CUVA's, do you see a reduction in Umbrella logs? I think you would and I think this is what we might try to do.

Do you know if it's recommended to use a local DNS resolver for the gateways or does it matter? We've just always used local DNS resolvers since they're setup at all of our locations via the CUVA's since we've deployed Umbrella a couple years back. Thanks again @Nüüül !

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 15:07:21 GMT

As a baseline, our Cisco Rep told us we are using 10x the log storage of any other company our size! This is similar to what we are seeing in Umbrella because the logs from the gateways are drowning out all the other user logs in the system.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Nüüül — Tue, 22 Apr 2025 15:28:13 GMT

OK, thanks for clarification!

one idea:

configure an internal network with the internal IPs of your gateways. an example is attached as screnshot. now you can set up dns policy (or clone your existing) and match the "identities affected" on the internal network just created and disable logging or set it to security events only.

additional, you might want to have a look at the policy, if you want to have everything running through another filter, especially when logging is disabled, you might run into "strange behaviour", when filtering is active 😉

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 15:29:52 GMT

Very nice! I like that as another option to the exclusions list you can create. Thanks for taking the time to write that out, much appreciated.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Wolfgang — Tue, 22 Apr 2025 20:20:33 GMT

It would be nice to hear why you are using CISCOs Umbrella. A lot of the features of Umbrella are also available from Check Point. What are your goals to run with Umbrella?

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 21:39:59 GMT

Hybrid workforce and easy integration mainly for our use case; we use Cisco AnyConnect via Cisco Secure Client and Umbrella integrates easily with that Cisco RA VPN solution. Assets on premise could be covered by CP but we don't utilize the Harmony endpoint products with CP.

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

the_rock — Tue, 22 Apr 2025 21:49:06 GMT

@Heath Just curious, how do you like Cisco Umbrella? I personally never used it myself..

Andy

Re: How do you manage Check Point DNS requests logging in Cisco Umbrella

Heath — Tue, 22 Apr 2025 21:55:35 GMT

I really don't have anything to compare it to, but it's been easy to work with and setup. That's actually one product that Cisco has actually integrated well with other products, like the Secure Client agent. This was a big win for us.