cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Threat Prevention dns trap and resource categorization

Hey Checkmates

I would like to share with you about the dns trap feature available on the threat prevention software blade.

We actually configure this feature on every profile we create , but looking at the log there is something that at the moment I don't understand.

According to the following sk no matter you select on the engine settings for the threat prevention some kind of traffic will go in background due to traffic latency.

Resource Categorization for Anti-Bot / Anti-Virus DNS Settings optimization 

My doubt is that regarding the following log should dns trap avoid this kind of connection redirecting the dns name to the bogus ip?

At the moment we did not have an entry log for the bogus dns trap ip related to this traffic.

Is the only way to avoid such connection to modify the following file on the security gateway?

$FWDIR/conf/malware_config


Thanks in advance

7 Replies

Re: Threat Prevention dns trap and resource categorization

Correct, as described in Why Anti-Bot and Anti-Virus connections may be allowed even in Prevent mode , the only way to make sure all malicious connections are prevented is to change "background" mode to "hold" or "custom" where you could configure action per service.

The trade off here is security vs connectivity. Even your legitimate traffic will be hold till classification is complete. That might introduce some internet connectivity lags and affect end users in  a negative way.

By the way, if you are using R80.10, you could configure online Web service options not per GW but on the management in a threat prevention profile

0 Kudos

Re: Threat Prevention dns trap and resource categorization

Thank you Valeri fo the clarification

Re: Threat Prevention dns trap and resource categorization

How many people do you know that actually run with any of the Threat Prevention blades set to "HOLD"?  I have been trying to ask various people both in Checkpoint and other contacts if they actually do that because I have found with it set to background, that 80% of threats that might be identified, are not blocked.   Also what if any, is the increased latency that clients may see?

0 Kudos

Re: Threat Prevention dns trap and resource categorization

I am not sure I follow your line of arguments. 

0 Kudos

Re: Threat Prevention dns trap and resource categorization

You stated "the only way to make sure all malicious connections are prevented is to change "background" mode to "hold" ".   I was trying to ask how many people(customers) do you know that have actually changed this setting to HOLD mode?   How do they find the latency - is there any increased latency and were they able to live with it or did they set it back to background mode and therefore these threats/malware that may be identified is no longer blocked.

Re: Threat Prevention dns trap and resource categorization

You do understand that we are talking about file transfer here, correct? So, latency in your case means file transmission delay, not overall Internet latency. 

Also, did you read by the link to SK I have mentioned? Meaning of Hold option is explained there.

For your information, Check Point is using SandBlast agent with Hold action for Threat Extraction on the corporate laptops. We are talking about several thousands of users, as far as I know.

I can attest that the experience is not as smooth as one could hope, but not bad either. It is a matter of organization policy. The trade-off here is about business critical connectivity vs security. Although that balance is never ideal, one can find reasonable and generally acceptable compromise there. Depending on what is more important for your business and its security.

Re: Threat Prevention dns trap and resource categorization

Now, let's take your statement here:

  How do they find the latency - is there any increased latency and were they able to live with it or did they set it back to background mode and therefore these threats/malware that may be identified is no longer blocked.

I would like to clarify something very important. Background option does not mean that ll malware will be passed through. Only if classification is taking more time than file transfer, i.e for totally unknown & first seen zero day, that will be the case. Once it is emulated and fingerprinted, it will be caught in transfer and blocked.

Also, I am not sure why you are trying to present the case in a binary mode: no security or no connectivity. Background mode has a decent catch rate although some unknown things can sneak in before emulation is complete. Hold mode means some bigger delays with file transfer for content that cannot be immediately classified. There is also tons of "in between" here, with Custom option, and depending on your specific needs, there is always a way.