This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2021-03-24 12:34 PM

Unexpected rejection of NTP traffic by URLF

Can anyone tell me the reason I am seeing NTP traffic being bagged by the gateway?

NTP is not listed as the service associated with the Facebook and it is actually an Apple's service/domain:

Facebook_Block_stops_NTP_Rules_and_Services.pngFacebook_Block_stops_NTP_Log.png

0 Kudos
7 Replies
HeikoAnkenbrand
Champion Champion
Champion
‎2021-03-25 03:12 AM

Hi @Vladimir,

try the following:
1) Create a clone of the service ntp-udp
2) Enable "Protocol Signature"ntp-udp.PNG
3) Use the new service ntp-udp_Clone in the ruleset.

This limits the PSL analysis only to UDP port 123.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Vladimir
Champion
Champion
‎2021-03-25 02:18 PM
In response to HeikoAnkenbrand

Thanks @HeikoAnkenbrand , but this does not explain why it was rejected in the first place, which is what I am trying to figure out:)

0 Kudos
PhoneBoy
Admin
Admin
‎2021-03-25 02:59 PM

Going to guess a bad signature got pushed out.

0 Kudos
Vladimir
Champion
Champion
‎2021-03-25 03:01 PM
In response to PhoneBoy

You may want to alert relevant team about his one: either apple or NTP bound to have issues...

0 Kudos
the_rock
Legend
Legend
‎2021-03-25 04:27 PM

Hm...I see your point, thats very odd. Looking at your rule, it only shows app facebook,not any ntp services, so its not very logical as to why it would drop it on that rule. Did this just start happening recently or you ever noticed it before after you created the rule?

 

Andy

0 Kudos
Vladimir
Champion
Champion
‎2021-03-25 04:39 PM
In response to the_rock

Did not see it before, but then thi is a lab setup where I work out some issues for the clients or trying things out for myself. This gem manifested only after said rule was created.

0 Kudos
Avi_Bechor
Employee
Employee
‎2021-04-05 04:04 AM

Hi Vladimir,
I have contacted you in a private message which will help better understand your case. To my current understanding, the NTP detection worked as expected, but more details regarding your case and environment may be needed. Let's continue this offline
Thanks,
Avi

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top