This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-07-24 06:36 AM

Domain blocking by FQDN rule

Good morning, team.

We have a Cluster R81.10, in which, at the moment, we only have the "Firewall" blade working.

For a need of our customer, we need to block "malicious domains (URLs)" that are reporting to us.

Is it advisable and effective to be able to block malicious domains using a firewall rule with a DOMAIN object (FQDN)?

Our intention for the moment is to contain malicious traffic, for the moment the APPC+URLF blades are not yet being worked on due to an internal customer process.

I look forward to your kind comments.

Thank you.

0 Kudos
39 Replies
the_rock
Legend
Legend
‎2023-07-26 08:52 AM
In response to Matlu

Remember what I said yesterday bro? lol

You do NOT update these things yourself, they are auto-updated every 5 mins actually, so if anything gets added, you dont intervene at all

Andy

[Expert@QUANTUM-MANAGEMENT:0]# ioc_feeds show_interval
Feeds will be fetched every 300 seconds
[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
Matlu
Advisor
‎2023-07-26 09:13 AM
In response to the_rock

Ha, I understand.

It's new to me, this functionality.

I understand that I only need to have Internet access from my GW/Cluster to make this "work well", right?

Those Local* files (that are part of what the json brings) I understand that it is something customized by Checkpoint (I got to believe that you yourself had created it manually) hehehe.

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2023-07-26 09:16 AM
In response to Matlu

Bro,

No offense, but someone would need to pay me LOT of money to create them myself LOL

0 Kudos
Matlu
Advisor
‎2023-07-26 09:23 AM
In response to the_rock

Hahaha. 😅

Well, I really "thought" they were files created by you, that's why I had so many doubts.
It is clear to me, that only the output to the Internet from the GW is enough for us.

Now if we are inclined to use the method where the .csv format is used, that would require to enable the AV/ABOT blades, right?

Thanks for the help, friend. 🤓

0 Kudos
the_rock
Legend
Legend
‎2023-07-26 09:25 AM
In response to Matlu

You can use below to create custom indicators, as described

https://support.checkpoint.com/results/sk/sk132193

That needs av/ab enabled.

0 Kudos
the_rock
Legend
Legend
‎2023-07-25 05:35 AM
In response to PhoneBoy

You are 100% right, I just verified that av and ab are needed, but ips is not.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-07-24 06:53 AM

As Phoneboy advised, thats your best bet...OR, you can create new domain based on below and follow steps from sk

Andy

 

https://support.checkpoint.com/results/sk/sk120633

 

Screenshot_1.png

0 Kudos
LazarusG
Contributor
Contributor
‎2023-11-27 02:25 AM
In response to the_rock

i have a customer who is using fqdn objects to block bad domains in azure but MS defender is generating alerts that the firewall is trying to reach known bad domains - i believe because its trying to cache resolved IPs for the nefarious domains to apply in policy. Would network feeds and IOCs definitely be a better approach to this? Or DNS sinkhole?

0 Kudos
the_rock
Legend
Legend
‎2023-11-27 04:31 AM
In response to LazarusG

I would say network feeds 100%. I had tested them in the lab and its fantastic. Though if I am not mistaken, you need R81.20 for that.

Andy

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-24 07:00 AM

Network feeds in R81.20 is an alternate approach.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events