topic Re: Check Point vs Cisco Umbrella in General Topics

Check Point vs Cisco Umbrella

Zee — Mon, 02 Jun 2025 16:07:18 GMT

Hi Everyone,

I am just curious about a network change in our environment. Currently we are using Cisco Umbrella as our DNS server and security layer for all external/public requests. Do you think BIND + Checkpoint can give the same functionality in terms of DNS security for a comparatively large, spread environment?
And what do you suggest for a short and quick alternate to decrease the number of requests being handled by Cisco Umbrella, using Checkpoint blades with DC (as a cache for external domains/requests) keeping in mind the trade off with logging and security issues like TTL.

Re: Check Point vs Cisco Umbrella

PhoneBoy — Mon, 02 Jun 2025 21:15:05 GMT

Check Point DNS Security is handled through Anti-Bot and Anti-Virus Blades.
There is some additional functionality incorporated in the gateways starting from R82.
I assume if you route the requests to Umbrella through a Check Point device that has Anti-Bot and Anti-Virus enabled, you'll see less requests sent there.

Re: Check Point vs Cisco Umbrella

Zee — Tue, 03 Jun 2025 06:37:42 GMT

Thank You for your response and Yes, I am exploring Check Point DNS security but I just wanted to discuss if replacing Cisco Umbrella with BIND and Checkpoint Blades will give me the same functionality as currently being given by Cisco Umbrella, we are trying to minimize the license cost of Umbrella and also number of requests have increased than allowed, so kind of in a pickle right now.

Re: Check Point vs Cisco Umbrella

PhoneBoy — Tue, 03 Jun 2025 17:03:12 GMT

In terms of actually preventing potential threats via DNS, I'd say both are similar in this regard.
However, I haven't seen any head-to-head comparisons that (dis)prove this.

Remember that Cisco Umbrella is, itself, a DNS server.
We are not a DNS server, though with dnsmasq being officially supported in R82 (it's also available in earlier releases, albeit through an unsupported process), that isn't entirely true any longer.
Our enforcement for DNS-related protections require us to be inline with the DNS server (i.e. so we can see requests).
This also changes some of the functions needed (for example, to see DNS over HTTPS, this must be handled inline via HTTPS Inspection, which we do in R82).

Which means, if you're looking to replace Umbrella, you need to understand how it's being used in your environment.
Another thing to consider is, if you're using any FDQN Domain objects or Updatable Objects in your policy is that DNS server used by the clients should be exactly the same as that of the gateway.
Otherwise, the IPs for, say, cdn.example.com might resolve to a different IP, which creates enforcement issues.

Re: Check Point vs Cisco Umbrella

Zee — Tue, 03 Jun 2025 16:29:16 GMT

This clears up a lot of thing. Thank You. I understand, If I want to replace Umbrella then I would have to use our DC as a DNS server and Public DNS server for recursion and also for FWs. On top of that, segregation of DC and network will be required as well to make FWs inline. I am worried about using Public DNS for the purpose as I am not sure how much it will impact regarding the security of the network or may be I should use DC as a conditional forwarder for top destinations like google and use Public DNS for those to limit the risk at least and continue with Cisco Umbrella for remaining requests to reduce its licensing cost.

Re: Check Point vs Cisco Umbrella

the_rock — Tue, 03 Jun 2025 16:41:15 GMT

For what its worth, I know few customers who use below public dns servers and so far, I heard no complaints.

Andy

https://quad9.net/

Re: Check Point vs Cisco Umbrella

PhoneBoy — Tue, 03 Jun 2025 17:10:20 GMT

In larger environments, it's typical to have internal DNS servers (can be Active Directory, BIND, or something else) that forward requests to public DNS servers for anything that it can't resolve.
There is also two different versions of DNS for a given domain (internal, which has everything, and external, which only has externally accessible servers).

While forwarding requests for some domains directly to public DNS might help in your quest to reduce overall usage of Cisco Umbrella, I'd be careful with certain domains:
https://www.bleepingcomputer.com/news/security/azure-domains-and-google-abused-to-spread-disinformation-and-malware/

Re: Check Point vs Cisco Umbrella

Zee — Tue, 03 Jun 2025 19:11:25 GMT

Yes, I agree quad9 is better among others.

Re: Check Point vs Cisco Umbrella

the_rock — Tue, 03 Jun 2025 19:13:09 GMT

Thats my experience as well.

Andy

Re: Check Point vs Cisco Umbrella

Zee — Tue, 03 Jun 2025 19:15:34 GMT

Microsoft and Google will probably be the domains for which DC along with Public DNS will be used to reduce the usage as a quick fix I guess, and to use Checkpoint with Bind makes a persistent solution instead of just Checkpoint I suppose.

Re: Check Point vs Cisco Umbrella

Zee — Tue, 03 Jun 2025 19:18:20 GMT

Yes, I might need to use quad9 in future and explore Checkpoint more before making this change.

Re: Check Point vs Cisco Umbrella

Zee — Wed, 04 Jun 2025 09:24:25 GMT

One more thing, I can work around with dnsmasq as well, right? If I use conditional forwarding in DC for some public domains and forward it to checkpoint instead of public dns and use dnsmasq and forward it to public dns from there, checkpoint will log the traffic then and I won't have to change my network so that checkpoint can be configured inline. I am not sure about https inspection. Do you think it is a good option?

Re: Check Point vs Cisco Umbrella

the_rock — Wed, 04 Jun 2025 10:38:23 GMT

I know it works in R82 as well, though not supported officially.

Re: Check Point vs Cisco Umbrella

Zee — Wed, 04 Jun 2025 12:53:59 GMT

Yes, but I am not sure about it's reliability as it is not supported officially but I need a quick fix somehow this week to minimize the requests going to Cisco Umbrella.

Re: Check Point vs Cisco Umbrella

the_rock — Wed, 04 Jun 2025 12:55:56 GMT

I know this link is 11 years old, but commands do work 🙂

Andy

https://phoneboy.org/2014/09/02/fun-with-check-point-dynamic-ip-gateways-in-r77-dot-20-with-gaia/

Re: Check Point vs Cisco Umbrella

Zee — Wed, 04 Jun 2025 13:27:57 GMT

And after all those years, checkpoint is still not giving official support to it. 🙂 Any specifics to keep in consideration while testing all blades related to DNS and Web filtering as we were not using them in our environment due to Cisco Umbrella.

Re: Check Point vs Cisco Umbrella

the_rock — Wed, 04 Jun 2025 13:30:22 GMT

Maybe @PhoneBoy can confirm, but dont believe it was ever officially supported, so use at your own risk 🙂

Andy

Re: Check Point vs Cisco Umbrella

Zee — Wed, 04 Jun 2025 13:36:45 GMT

Agreed, and I would like to hear your thoughts about the blades and checkpoint performance incomparable to Cisco Umbrella, if you have used in a similar way. I could not find a subtle and well documented thing till now which can increase my confidence that Cisco Umbrella can be replaced by Checkpoint and not impacting the security and reliability of the services. 😞

Re: Check Point vs Cisco Umbrella

the_rock — Wed, 04 Jun 2025 13:47:50 GMT

I cant say for sure when it comes to Cisco Umbrealla, as I had never used it myself, but one customer I work with often, they have used it for some time and they seem happy with it.

Andy

Re: Check Point vs Cisco Umbrella

PhoneBoy — Wed, 04 Jun 2025 14:38:09 GMT

We've used dnsmasq on our SMB appliances for quite some time (since the transition from the legacy Safe@/Sofaware appliances).
As near as I can tell, we've been including dnsmasq in regular, non-Embedded Gaia for a number of years now (at least as far back as R77.x).
However, R82 is the first time dnsmasq has actually appeared in product documentation.
That would suggest it is supported in R82, at the very least.

While it definitely works in versions prior to R82, I'm fairly certain it's not officially supported.
Having said that, it's best to engage with your local Check Point office here.