https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187333#M31331 <P>Thanks for your reply.&nbsp; what investigation we can do here? This is a standby gateway. Please share if there are any troubleshooting steps that I can check.</P> Mon, 24 Jul 2023 12:09:46 GMT AshishS 2023-07-24T12:09:46Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187326#M31326 <P>The checkpoint gateway in a standby state is sending DNS requests to configured DNS server for malicious URLs. What can be the reason behind this?&nbsp;</P><P>Version - Gaia 80.40 on both GWs.</P><P>Malicious URLs -&nbsp;yearinesents.xyz,&nbsp;siswoyo.co.id</P> Mon, 24 Jul 2023 11:08:11 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187326#M31326 AshishS 2023-07-24T11:08:11Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187330#M31329 <P>I do not think there is any reason to do that. I would start investigating, to see if that is indeed traffic originating from standby GW and not something else.<BR /><BR />On an active GW, however, that would be okay if someone is trying to reach out to any of those domains through the GW on HTTPS. That would be part of the SNI verification process.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 24 Jul 2023 11:40:07 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187330#M31329 _Val_ 2023-07-24T11:40:07Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187333#M31331 <P>Thanks for your reply.&nbsp; what investigation we can do here? This is a standby gateway. Please share if there are any troubleshooting steps that I can check.</P> Mon, 24 Jul 2023 12:09:46 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187333#M31331 AshishS 2023-07-24T12:09:46Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187334#M31332 <P><STRONG>tcpdump</STRONG>, for starters. Where do you see the requests, on your internal DNS server? Somewhere else? It is hard to give you any advise if you do not provide any retails.</P> Mon, 24 Jul 2023 12:19:50 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187334#M31332 _Val_ 2023-07-24T12:19:50Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187336#M31333 <P>Which JHF and enabled blades does this cluster have?</P> Mon, 24 Jul 2023 12:27:30 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187336#M31333 Chris_Atkinson 2023-07-24T12:27:30Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187340#M31335 <P>We got the below alert on our Qrdar SIEM server. I have removed IPs from the log and used X,Y,Z instead. The source is standby firewall but the origin and&nbsp;originsicname are showing as active firewall details.</P><P>Alert - Checkpoint AntiVirus or AntiMalware Alert Detected</P><P>LEEF:2.0|Check Point|Anti Malware|1.0|Detect|devTime=1690067244   srcPort=33516     url=yearinesents.xyz    signature=Maze.TC.ov    malware=Maze      policyName=DCFirewallPolicy  cat=Anti Malware  sev=8 action=Detect     ifdir=outbound    ifname=Sync loguid={0xa79f6f9e,0xcdebc05b,0x4a8f2902,0x14c2509a}  origin=X.X.X.X      originsicname=CN\=PHY-NWK-DC-FRW-02,O\=CLUSTER..zzn8zj      sequencenum=880   version=5   confidence_level=1      dst=Y.Y.Y.Y log_id=2    malware_action=DNS query for a C&amp;C site   malware_rule_id={CE6C83BD-AB76-4B53-819F-98CEC479FD68}      policy_time=1689944558  protection_id=00340173A protection_type=DNS reputation      proto=17    rule_name=Internet access to Manager and Gateway      rule_uid=3947ba36-03d7-4ada-b748-90ee083d1200   scope=Z.Z.Z.Z    service=53  session_id={0x64bc544c,0xc,0xa2a3aaca,0xc69bb62e}     smartdefense_profile=Optimized Threat Prevention      src=Z.Z.Z.Z      layer_uuid={269BAA7D-91DD-4356-A634-594DD105B2FE}     malware_rule_id={CE6C83BD-AB76-4B53-819F-98CEC479FD68}      smartdefense_profile=Optimized Threat Prevention      vendor_list=Check Point ThreatCloud</P> Mon, 24 Jul 2023 12:36:13 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187340#M31335 AshishS 2023-07-24T12:36:13Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187341#M31336 <P>JHF:- HOTFIX_R80_40_JUMBO_HF_MAIN Take: 192</P><P>Enabled blades:-&nbsp;fw vpn cvpn urlf av aspm appi ips identityServer anti_bot mon</P> Mon, 24 Jul 2023 12:46:26 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187341#M31336 AshishS 2023-07-24T12:46:26Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187343#M31338 <P>Did you or your time put those malicious URLs on security policy?&nbsp;</P><P>Had experience before, my teammate put 1 malicious URL on policy to prevent communication to it, and CP will query to the internet to solving domain lookup.</P><P>since CP querying it, then detected on SIEM that CP has communication with malicous url.</P> Mon, 24 Jul 2023 13:00:15 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187343#M31338 Fabz 2023-07-24T13:00:15Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187345#M31339 <P>These URLs were blocked in policy a long time back. Why it would query for them now? and that is also from the standby firewall.</P> Mon, 24 Jul 2023 13:07:13 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187345#M31339 AshishS 2023-07-24T13:07:13Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187348#M31340 <P>need to involved TAC i think for better explanation.&nbsp;</P><P>but for now, could try to delete it first on policy and check on SIEM again?</P> Mon, 24 Jul 2023 13:16:23 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187348#M31340 Fabz 2023-07-24T13:16:23Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187350#M31341 <P>There are multiple malicious URLs in that policy but only these 2 are getting queried. I don't think deleting these URLs will help.</P> Mon, 24 Jul 2023 13:20:20 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/187350#M31341 AshishS 2023-07-24T13:20:20Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/253352#M42509 <P>Hello Ashish,</P><P>did you found any solution for this as we are also facing the same issue on our Qradar with Checkpoint firewall.</P> Thu, 17 Jul 2025 08:13:15 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/253352#M42509 harshnagar 2025-07-17T08:13:15Z https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/253354#M42511 <P>This is a very old post.&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/132433">@harshnagar</a>&nbsp;I would suggest you start a completely new thread about your own issue.</P> Thu, 17 Jul 2025 09:48:37 GMT https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-sending-DNS-requests-to-DNS-server-for/m-p/253354#M42511 _Val_ 2025-07-17T09:48:37Z