https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251795#M42126 <P>DNS Reputation refers to domains that we've seen significant malicious activity from.<BR />This is different from URL Filtering, which pulls from a different database than Threat Prevention.<BR />However, that is&nbsp;also showing the site as malicious:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30826iBD8870DB334225FF/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>A "Detect" means the traffic was ultimately allowed to pass because of your configuration.<BR />Given the amount of data transferred, it seems likely this system has been compromised somehow.</P> <P>If it were me, if you haven't already done so, I'd be activating my organization's incident response plan.</P> Mon, 23 Jun 2025 16:59:01 GMT PhoneBoy 2025-06-23T16:59:01Z https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251495#M42089 <P>Dear Team,</P><P>I have obeserved in the Generaloverview tab of Smartview of The Management Server that there are Some critical attacks which werenot prevented by Policy.</P><P>When went through the logs most of them wre with</P><P>Protection name : "DNS Reputation"<BR />Description: Connection was allowed because background classification mode was set. See sk74120 for more information<BR />Action : Detect</P><P>When I go through the 74120, as per my understanding if there is no cache information about the resource, as the mode is set to Background and Checkpoint will continue its categorization and connection was allowed.</P><P>After the classification was found a detect log was generated.</P><P>I want to know was the connection is abnormal and any malicious data was received by endpoint user?</P><P>What is mean by Infected hosts in General overview? is the endpoints are infected?</P><P>How can I investigate further about these logs?</P><P>For reference I have attached the one of the log screenshot.</P> Wed, 18 Jun 2025 06:09:05 GMT https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251495#M42089 Saranya_0305 2025-06-18T06:09:05Z https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251568#M42108 <P>A DNS query should merely contain the desired FDQN and the IPs they resolve to.<BR />The FDQN requested&nbsp;<A href="https://www.akamai.com/glossary/what-is-dns-tunneling" target="_self">might leak a small amount of data</A>&nbsp;but isolated instances of this don't necessarily indicate an issue (at least not without other indicators being present).</P> Wed, 18 Jun 2025 22:13:46 GMT https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251568#M42108 PhoneBoy 2025-06-18T22:13:46Z https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251599#M42109 <DIV>Dear Team,</DIV><DIV>&nbsp;</DIV><DIV>Thank you for the Heads up!</DIV><DIV>&nbsp;</DIV><DIV>As per my understanding,&nbsp;</DIV><DIV>&nbsp;</DIV><DIV>For the DNS Tunneling, first the <STRONG>endpoint should be compromised for DNS Tunneling</STRONG>.</DIV><DIV>&nbsp;</DIV><DIV><STRONG>Protection Type: DNS Trap</STRONG> , where the Checkpoint will give the Bogus IP and responds to the client as it is DNS server.</DIV><DIV>&nbsp;</DIV><DIV>My query is here in this case,</DIV><DIV>&nbsp;</DIV><DIV>1) <STRONG>The Protection Type: DNS Reputation</STRONG>, what does this protection type does?</DIV><DIV>&nbsp;</DIV><DIV>2) Here is the endpoints is trying to access <STRONG>Malicious sites</STRONG>?</DIV><DIV>&nbsp;</DIV><DIV>From the logs,</DIV><DIV>&nbsp;</DIV><DIV>3) In the Forensics Details,</DIV><DIV><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <STRONG>Resource: info-update.org&nbsp;</STRONG></SPAN></DIV><DIV><STRONG>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Action Details: Bypass</STRONG></DIV><DIV>Is the Resource is the site that the endpoint is try to access? If yes, as the action details mentioned&nbsp; <STRONG>"bypass "</STRONG> is it <STRONG>succeeded to access the site?</STRONG></DIV><DIV>&nbsp;</DIV><DIV>4) <STRONG>Action: Detect</STRONG>, what does this Detect log means?</DIV><DIV>&nbsp;</DIV><DIV>Form the logs, I observed some bytes of data has been transferred</DIV><DIV>&nbsp; &nbsp; <STRONG>Sent Bytes:286.7M</STRONG></DIV><DIV><STRONG>&nbsp; &nbsp; Received Bytes:652.2M&nbsp;</STRONG></DIV><DIV>&nbsp;</DIV><DIV>As per my knowledge some data has been transferred when we query for any DNS query.</DIV><DIV>&nbsp;</DIV><DIV>Is there <STRONG>any limitation for Sent and received data bytes</STRONG>, because I observe some of the other logs have <STRONG>Sent and Received Bytes is Gigabytes, is it abnormal?</STRONG></DIV><DIV>&nbsp;</DIV><DIV>Please assist me in this, if I am wrong in my understanding please guide me.</DIV><P>&nbsp;</P><P>Regards,</P><P>Saranya</P> Thu, 19 Jun 2025 11:01:26 GMT https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251599#M42109 Saranya_0305 2025-06-19T11:01:26Z https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251621#M42111 <P>Dear Team,</P><P>Along with the previous queries,</P><P>I have observed that the Source IP in the logs are Firewalls Internal or External IP are replicating.</P><P>How the Firewall itself try to access the URL or Destination(Google DNS Server or Internal DNS Server ) ?</P><P><STRONG>Source: Firewalls Internal or External Interface IPs</STRONG></P><P><STRONG>Destination: Google DNS or Internal DNS Server</STRONG></P><P>My thought on this&nbsp;</P><P>Based on the description "<SPAN>Connection was allowed because background classification mode was set. See sk74120 for more information"</SPAN></P><P><SPAN>The firewall has no information about the URL in its cache, it try to get the information from the Cloud, but here the destination is should be Checkpoint Cloud.</SPAN></P><P><SPAN>If it is not the case I have configured my TP Engine settings as Hold.</SPAN></P><P><SPAN>For reference I attached the screenshot of the TE profile and TE Engine Settings.</SPAN></P><P>&nbsp;</P><P><SPAN>Please correct me if I am wrong.</SPAN></P><P>&nbsp;</P><P><SPAN>Regards,</SPAN></P><P><SPAN>Saranya</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Thu, 19 Jun 2025 14:36:02 GMT https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251621#M42111 Saranya_0305 2025-06-19T14:36:02Z https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251795#M42126 <P>DNS Reputation refers to domains that we've seen significant malicious activity from.<BR />This is different from URL Filtering, which pulls from a different database than Threat Prevention.<BR />However, that is&nbsp;also showing the site as malicious:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30826iBD8870DB334225FF/image-size/medium?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>A "Detect" means the traffic was ultimately allowed to pass because of your configuration.<BR />Given the amount of data transferred, it seems likely this system has been compromised somehow.</P> <P>If it were me, if you haven't already done so, I'd be activating my organization's incident response plan.</P> Mon, 23 Jun 2025 16:59:01 GMT https://community.checkpoint.com/t5/General-Topics/Clarification-on-DNS-Reputation-Logs/m-p/251795#M42126 PhoneBoy 2025-06-23T16:59:01Z