topic Re: Domain blocking by FQDN rule in General Topics

Domain blocking by FQDN rule

Matlu — Mon, 24 Jul 2023 13:36:17 GMT

Good morning, team.

We have a Cluster R81.10, in which, at the moment, we only have the "Firewall" blade working.

For a need of our customer, we need to block "malicious domains (URLs)" that are reporting to us.

Is it advisable and effective to be able to block malicious domains using a firewall rule with a DOMAIN object (FQDN)?

Our intention for the moment is to contain malicious traffic, for the moment the APPC+URLF blades are not yet being worked on due to an internal customer process.

I look forward to your kind comments.

Thank you.

Re: Domain blocking by FQDN rule

PhoneBoy — Mon, 24 Jul 2023 13:46:15 GMT

Note that an FQDN object will only block the specific FQDN (e.g. example.com) and not a wildcard (I.e. *.example.com).
To block the latter with just firewall, upgrade to R81.20 and use the Network Feeds option.
Or you can do it R81.10 using ioc_feeds and Anti-Virus/Anti-Bot enabled.

Re: Domain blocking by FQDN rule

the_rock — Mon, 24 Jul 2023 13:53:20 GMT

As Phoneboy advised, thats your best bet...OR, you can create new domain based on below and follow steps from sk

Andy

https://support.checkpoint.com/results/sk/sk120633

Re: Domain blocking by FQDN rule

Matlu — Mon, 24 Jul 2023 13:54:43 GMT

One inquiry,

If I "uncheck" the checkbox, the Firewall is not able to "block" what is "before the first dot"?

Re: Domain blocking by FQDN rule

the_rock — Mon, 24 Jul 2023 13:56:32 GMT

Its all explained in the sk my friend : - )

In layman's terms, if you uncheck it, then it should look up 10 sub-domains as well.Otherwise, it will check ONLY fully qualified domain name.

Andy

Re: Domain blocking by FQDN rule

Chris_Atkinson — Mon, 24 Jul 2023 14:00:42 GMT

Network feeds in R81.20 is an alternate approach.

Re: Domain blocking by FQDN rule

Matlu — Mon, 24 Jul 2023 14:16:23 GMT

Thanks for the clarification, my friend.

PhoneBoy also mentioned another alternative, which is using the "ioc_feeds".

How feasible is it to do this in version R81.10?

Does it require extensive configuration in the Firewall?

Cheers. 🙂

Re: Domain blocking by FQDN rule

the_rock — Mon, 24 Jul 2023 14:18:23 GMT

No extra config needed mate 🙂

Andy

Re: Domain blocking by FQDN rule

Matlu — Mon, 24 Jul 2023 14:26:34 GMT

Hello

I don't understand, but I am reading the official Checkpoint documentation.

The ioc_feeds is part of the Threat Prevention, as I understand, but is it "mandatory" to activate any of the TP blades?

Thanks. 🙂

Re: Domain blocking by FQDN rule

Chris_Atkinson — Mon, 24 Jul 2023 14:34:23 GMT

ioc_feeds needs TP blades yes (refer: sk132193).

Re: Domain blocking by FQDN rule

Matlu — Mon, 24 Jul 2023 14:35:30 GMT

But is it necessary to activate the 3 known TP blades, such as "AV, Anti-Bot, and IPS"?

Or is it enough to enable 1/3 of these blades?

Cheers.

Re: Domain blocking by FQDN rule

the_rock — Mon, 24 Jul 2023 14:37:24 GMT

Im almost positive you need AV enabled, not sure if other 2 are a must.

Andy

Re: Domain blocking by FQDN rule

PhoneBoy — Mon, 24 Jul 2023 20:40:37 GMT

AV and Anti-Bot are required to use ioc_feeds.

Re: Domain blocking by FQDN rule

the_rock — Tue, 25 Jul 2023 00:23:41 GMT

I could have sworn I only enabled AV in the lab to use ioc feeds, but will double check tomorrow.

Andy

Re: Domain blocking by FQDN rule

Matlu — Tue, 25 Jul 2023 12:34:12 GMT

Hello,

Do you have available a "step by step" guide to work with the IOC_FEEDS?

Do the AV and AntiBot blades need to work with any particular profile?

Or is it irrelevant the profile they work with?

Thanks for your support

Re: Domain blocking by FQDN rule

the_rock — Tue, 25 Jul 2023 12:35:09 GMT

You are 100% right, I just verified that av and ab are needed, but ips is not.

Andy

Re: Domain blocking by FQDN rule

the_rock — Tue, 25 Jul 2023 12:36:35 GMT

Ola bro,

Profile does not matter, because in my TP profile, I do NOT have anything but IPS enabled, but I have av and ab blades on in the object properties. If you need screenshots, I can "slap" them together and send. Let me know.

Cheers amigo.

Andy

Re: Domain blocking by FQDN rule

Matlu — Tue, 25 Jul 2023 13:31:23 GMT

Hi, Andy.

Do you have a "csv" format to help me, to know how to "customize" my file, if we want to block malicious URLs.

We want to block both Malicious IPs (In a .txt file) and Malicious URLs, with the IOCs.

I understand that to block the IPs, I would only need connectivity between my GW and the PC that will "host" the .txt file, right?

Thanks for any helpful comments.

Re: Domain blocking by FQDN rule

the_rock — Tue, 25 Jul 2023 13:36:34 GMT

To make this simple, you can even use generic data center object and put a file anywhere on the mgmt server, once done, right click, import and then use those objects in the policy. I attached the file, as well as doc with screenshots.

Andy

Re: Domain blocking by FQDN rule

the_rock — Tue, 25 Jul 2023 13:37:24 GMT

To also add, to use generic data center objects, you do NOT need av/ab blades.

Andy