Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Domain blocking by FQDN rule

Good morning, team.

We have a Cluster R81.10, in which, at the moment, we only have the "Firewall" blade working.

For a need of our customer, we need to block "malicious domains (URLs)" that are reporting to us.

Is it advisable and effective to be able to block malicious domains using a firewall rule with a DOMAIN object (FQDN)?

Our intention for the moment is to contain malicious traffic, for the moment the APPC+URLF blades are not yet being worked on due to an internal customer process.

I look forward to your kind comments.

Thank you.

0 Kudos
39 Replies
the_rock
Legend
Legend

Remember what I said yesterday bro? lol

You do NOT update these things yourself, they are auto-updated every 5 mins actually, so if anything gets added, you dont intervene at all

Andy

[Expert@QUANTUM-MANAGEMENT:0]# ioc_feeds show_interval
Feeds will be fetched every 300 seconds
[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
Matlu
Advisor

Ha, I understand.

It's new to me, this functionality.

I understand that I only need to have Internet access from my GW/Cluster to make this "work well", right?

Those Local* files (that are part of what the json brings) I understand that it is something customized by Checkpoint (I got to believe that you yourself had created it manually) hehehe.

Greetings.

0 Kudos
the_rock
Legend
Legend

Bro,

No offense, but someone would need to pay me LOT of money to create them myself LOL

0 Kudos
Matlu
Advisor

Hahaha. 😅

Well, I really "thought" they were files created by you, that's why I had so many doubts.
It is clear to me, that only the output to the Internet from the GW is enough for us.

Now if we are inclined to use the method where the .csv format is used, that would require to enable the AV/ABOT blades, right?

Thanks for the help, friend. 🤓

0 Kudos
the_rock
Legend
Legend

You can use below to create custom indicators, as described

https://support.checkpoint.com/results/sk/sk132193

That needs av/ab enabled.

0 Kudos
the_rock
Legend
Legend

You are 100% right, I just verified that av and ab are needed, but ips is not.

Andy

0 Kudos
the_rock
Legend
Legend

As Phoneboy advised, thats your best bet...OR, you can create new domain based on below and follow steps from sk

Andy

 

https://support.checkpoint.com/results/sk/sk120633

 

Screenshot_1.png

0 Kudos
LazarusG
Contributor
Contributor

i have a customer who is using fqdn objects to block bad domains in azure but MS defender is generating alerts that the firewall is trying to reach known bad domains - i believe because its trying to cache resolved IPs for the nefarious domains to apply in policy. Would network feeds and IOCs definitely be a better approach to this? Or DNS sinkhole?

0 Kudos
the_rock
Legend
Legend

I would say network feeds 100%. I had tested them in the lab and its fantastic. Though if I am not mistaken, you need R81.20 for that.

Andy

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Network feeds in R81.20 is an alternate approach.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events