Domain blocking by FQDN rule

Matlu · ‎2023-07-24

Good morning, team.

We have a Cluster R81.10, in which, at the moment, we only have the "Firewall" blade working.

For a need of our customer, we need to block "malicious domains (URLs)" that are reporting to us.

Is it advisable and effective to be able to block malicious domains using a firewall rule with a DOMAIN object (FQDN)?

Our intention for the moment is to contain malicious traffic, for the moment the APPC+URLF blades are not yet being worked on due to an internal customer process.

I look forward to your kind comments.

Thank you.

the_rock · ‎2023-07-26

Remember what I said yesterday bro? lol

You do NOT update these things yourself, they are auto-updated every 5 mins actually, so if anything gets added, you dont intervene at all

Andy

[Expert@QUANTUM-MANAGEMENT:0]# ioc_feeds show_interval
Feeds will be fetched every 300 seconds
[Expert@QUANTUM-MANAGEMENT:0]#

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2023-07-26

Ha, I understand.

It's new to me, this functionality.

I understand that I only need to have Internet access from my GW/Cluster to make this "work well", right?

Those Local* files (that are part of what the json brings) I understand that it is something customized by Checkpoint (I got to believe that you yourself had created it manually) hehehe.

Greetings.

the_rock · ‎2023-07-26

Bro,

No offense, but someone would need to pay me LOT of money to create them myself LOL

Best,
Andy
"Have a great day and if its not, change it"

Matlu · ‎2023-07-26

Hahaha. 😅

Well, I really "thought" they were files created by you, that's why I had so many doubts.
It is clear to me, that only the output to the Internet from the GW is enough for us.

Now if we are inclined to use the method where the .csv format is used, that would require to enable the AV/ABOT blades, right?

Thanks for the help, friend. 🤓

the_rock · ‎2023-07-26

You can use below to create custom indicators, as described

https://support.checkpoint.com/results/sk/sk132193

That needs av/ab enabled.

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2023-07-25

You are 100% right, I just verified that av and ab are needed, but ips is not.

Andy

Best,
Andy
"Have a great day and if its not, change it"

the_rock · ‎2023-07-24

As Phoneboy advised, thats your best bet...OR, you can create new domain based on below and follow steps from sk

Andy

https://support.checkpoint.com/results/sk/sk120633

Best,
Andy
"Have a great day and if its not, change it"

LazarusG · ‎2023-11-27

i have a customer who is using fqdn objects to block bad domains in azure but MS defender is generating alerts that the firewall is trying to reach known bad domains - i believe because its trying to cache resolved IPs for the nefarious domains to apply in policy. Would network feeds and IOCs definitely be a better approach to this? Or DNS sinkhole?

the_rock · ‎2023-11-27

I would say network feeds 100%. I had tested them in the lab and its fantastic. Though if I am not mistaken, you need R81.20 for that.

Andy

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Best,
Andy
"Have a great day and if its not, change it"

Chris_Atkinson · ‎2023-07-24

Network feeds in R81.20 is an alternate approach.

CCSM R77/R80/ELITE

Are you a member of CheckMates?