Re: How to match MQTT Protocol and an AWS site

Trevor_Bruss · ‎2020-05-13

We're trying to allow traffic to a specific AWS site, which unfortunately resolves to several IP addresses and none of which we can control therefore they are dynamic. Initially, we tried creating a Custom Application/Site for this, but that appears to want to match on Web Service traffic. So then we added port 1883 to the "Web Services" that Application Control blade uses. It still isn't matching on our rule which is a source being internal networks, destination is Any, and Services and Applications is this custom app. I'm guessing that won't work as this really isn't "web" traffic in the sense it is not http or https but on a non-standard port.

I see Checkpoint has an application for MQTT Protocol, but I don't know if I want to allow that protocol for Every destination. Is there a way to do this without having to use Dynamic Domain objects in the destination? That is, I want to define an application that goes to specific URL names but the protocol (port) needs to match the MQTT Protocol.

PhoneBoy · ‎2020-05-14

Screenshots of what you did?
Does the URL in question contain the port?

Trevor_Bruss · ‎2020-05-14

Here is an example of the test we can run to determine connectivity.

Here is the rule:

Source is our internal network. And this is what we have for this specific application defined inside of the Everybody_Allowed application group.

I tried multiple things, first of which was to add a service defined for TCP-8883 to the Web Browsing services in the Application Contol and URL Filtering advanced settings. That didn't appear to help. I couldn't find an application for MQTT over TLS but I did see one for MQTT (port 1883) with an application signature. I tried to clone that and specify a different port, but that didn't work likely because it wasn't matching the original application signature.

As this is not normal HTTP/s traffic but is a separate protocol for IoT devices wrapped in a TLS connection (at least that is my understanding of how you can secure MQTT). I wasn't sure if I could define this in a custom application as I've seen other people post on defining an app that doesn't use the default Web Services. Are you suggesting I try adding the port 8889 to the end of the AWS URL in my URL list?

I'm trying to determine how to open all the IPs behind this first AWS Iot URL in the list above, but without having to use some form of dynamic name which requires a reverse lookup. I also don't want to just open the port 8883 to all destinations, which I know will work but seems like the brute method.

PhoneBoy · ‎2020-05-14

If this is not for HTTP/HTTPS traffic, a custom application/site as you've created won't work.
Instead, create an FQDN Domain object which resolves based on forward DNS and use a simple TCP service to allow the relevant traffic.

Trevor_Bruss · ‎2020-05-14

Are there any concerns with using an FQDN Domain object as there were in the past with it consuming resources? I thought every time it gets to the rule it needs to do a DNS lookup? We're running R80.20SP on our gateways.

PhoneBoy · ‎2020-05-14

The main problem in the past was the lack of SecureXL acceleration for Domain objects.
This has been resolved since R80.10.
There will be some additional lookups from the gateways but beyond that, not aware of any specific performance issues.

Darren_Fine · ‎2023-05-25

Hi Trevor_Bruss,

I am trying to assist a customer who wants to limit particular string being published via MQTT protocol.

That string has the test "cloud" in it .

I have tried the attached:

But doesnt seem to block anything.

Not sure if anyone knows how I could achieve this ?

Maybe via IPS or something ?

Let me know

Thanks

Are you a member of CheckMates?

How to match MQTT Protocol and an AWS site