Blocking by AntiBot blade.

Matlu · ‎2023-12-29

Hello,

I have a question.

I have a traffic that I see in the "log" is being allowed (Action:Detect), but I can't understand "why".
According to the "Profile" defined, the traffic should be "blocked", but in the log, I can see that the traffic is being allowed, and that should not happen, or am I misinterpreting the log?

I want to first understand exactly the log, because my ultimate goal is to "block" traffic from the LAN to the domain "christoher-pelletier.mykajabi.com".

Blocking it by an access rule, or by FQDN, I don't think is an option.

Can you please guide me?

Regards.

the_rock · ‎2023-12-29

Make sure in gateway object setting is set to "according to policy"

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2023-12-29

Andy,

I have just checked my Cluster object. I found that it is set to "Detect Only".

So, the custom rules are going to be ignored, as long as I don't change the behaviour in the "Cluster object", right?

Cheers.

the_rock · ‎2023-12-29

Thats right.

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2023-12-30

Hey Bro

What would be the best practice to block a domain like the one I exposed in this post, if the customer still decides not to modify the behavior of the Antibot&Antivirus on the Cluster object (they still want this behavior to stay in Detect mode)?

Is it advisable to block this URL by a FQDN rule (using DOMAINS objects), or is it better to work with the URLF blade?

Greetings.

Chris_Atkinson · ‎2023-12-30

Best practice is best practice...

FQDN objects and URLF are different approaches.

The later would use a site/category approach.

CCSM R77/R80/ELITE

the_rock · ‎2023-12-30

Depends who you ask, I guess. Chris is right, its different approaches. I always do it with URLF blade.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Timothy_Hall · ‎2023-12-30

Try to use Custom Site/Application objects whenever possible instead of Domain objects. Only time you should be using Domain objects is if the URL filtering blade is not enabled on the gateway.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Matlu · ‎2023-12-30

The "Domain Objects" depend on the Blade Firewall, then?

Does the effectiveness of working "URL" "Blocking" with "Domain Objects" depend on DNS?

Greetings.

Timothy_Hall · ‎2023-12-30

Yes Domain objects are part of the firewall blade, in R80+ for FQDN's it relies on forward DNS lookups, for non-FQDN it relies on reverse DNS lookups which can still be problematic and should be avoided where possible. Custom URL/Site objects match the actual URL site name for HTTP, or the SNI (Server Name Indication) for HTTPS via the URL Filtering blade. For performance reasons you should try to avoid using the "*" character in Custom Site/URL objects, see here for more detail: Custom Sites and RegExp Wildcard Efficiency

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization

Matlu · ‎2024-01-02

Hello, my friend.

Happy 2024 🙂

I have a curiosity, even if I create explicit rules in the Threat Prevention layer, if my Cluster object is still in "Detect Only" mode, the Firewall will completely ignore my explicit rules, right?

Greetings.

the_rock · ‎2024-01-02

Feliz ano nuevo!

YES 🙂

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

Blocking by AntiBot blade.