Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Juraj_Skalny
Contributor

DNS Trap Protection

Hello Guys,

 

I would like to follow up on the following posts :

https://community.checkpoint.com/t5/Logging-and-Reporting/Threat-Prevention-dns-trap-and-resource-ca...

https://community.checkpoint.com/t5/IPS-Anti-Virus-Anti-Bot-Anti/Some-DNS-request-not-block-by-AV-bl...

 

What we would like to find out is how log firewalls keeps the information about malicious domain in cache?

DNS request is changed for Bogus IP by firewall as long as the malicious domain is in cache.

The problem we see is that the cache is maybe too short as "Connection was allowed because background classification mode was set. See sk74120 for more information." for the same malicious domain appears in logs too often.

We would expect to see this classification event once and then lots of changes to Bogus IP. But that is not the case.

There is no documentation on CP covering this info or how to change it. Or we have just overlooked it.

In our understanding this way lots of malicious activities are just allowed only because firewall needs to let go of DNS resolution requests because those needs to be classified in the first place over and over again.

 
 

image.png

 

 

 

 

 

 

 

Thanks and regards,

 

Juraj

11 Replies
This widget could not be displayed.