This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Trevor_Bruss
Contributor
‎2020-05-13 09:14 AM

How to match MQTT Protocol and an AWS site

We're trying to allow traffic to a specific AWS site, which unfortunately resolves to several IP addresses and none of which we can control therefore they are dynamic. Initially, we tried creating a Custom Application/Site for this, but that appears to want to match on Web Service traffic. So then we added port 1883 to the "Web Services" that Application Control blade uses. It still isn't matching on our rule which is a source being internal networks, destination is Any, and Services and Applications is this custom app. I'm guessing that won't work as this really isn't "web" traffic in the sense it is not http or https but on a non-standard port.

 

I see Checkpoint has an application for MQTT Protocol, but I don't know if I want to allow that protocol for Every destination. Is there a way to do this without having to use Dynamic Domain objects in the destination? That is, I want to define an application that goes to specific URL names but the protocol (port) needs to match the MQTT Protocol.

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2020-05-14 11:02 AM

Screenshots of what you did?
Does the URL in question contain the port?
0 Kudos
Trevor_Bruss
Contributor
‎2020-05-14 11:45 AM
In response to PhoneBoy

Here is an example of the test we can run to determine connectivity.

Test-AWS.PNG

Here is the rule:

Allow-rule.png

Source is our internal network. And this is what we have for this specific application defined inside of the Everybody_Allowed application group.

Fleet.PNG

 

I tried multiple things, first of which was to add a service defined for TCP-8883 to the Web Browsing services in the Application Contol and URL Filtering advanced settings. That didn't appear to help. I couldn't find an application for MQTT over TLS but I did see one for MQTT (port 1883) with an application signature. I tried to clone that and specify a different port, but that didn't work likely because it wasn't matching the original application signature.

 

As this is not normal HTTP/s traffic but is a separate protocol for IoT devices wrapped in a TLS connection (at least that is my understanding of how you can secure MQTT). I wasn't sure if I could define this in a custom application as I've seen other people post on defining an app that doesn't use the default Web Services. Are you suggesting I try adding the port 8889 to the end of the AWS URL in my URL list?

 

I'm trying to determine how to open all the IPs behind this first AWS Iot URL in the list above, but without having to use some form of dynamic name which requires a reverse lookup. I also don't want to just open the port 8883 to all destinations, which I know will work but seems like the brute method.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-14 12:43 PM
In response to Trevor_Bruss

If this is not for HTTP/HTTPS traffic, a custom application/site as you've created won't work.
Instead, create an FQDN Domain object which resolves based on forward DNS and use a simple TCP service to allow the relevant traffic.
0 Kudos
Trevor_Bruss
Contributor
‎2020-05-14 12:47 PM
In response to PhoneBoy

Are there any concerns with using an FQDN Domain object as there were in the past with it consuming resources? I thought every time it gets to the rule it needs to do a DNS lookup? We're running R80.20SP on our gateways.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-14 12:51 PM
In response to Trevor_Bruss

The main problem in the past was the lack of SecureXL acceleration for Domain objects.
This has been resolved since R80.10.
There will be some additional lookups from the gateways but beyond that, not aware of any specific performance issues.
0 Kudos
Darren_Fine
Collaborator
‎2023-05-25 02:31 AM
In response to Trevor_Bruss

Hi Trevor_Bruss,

 

I am trying to assist a customer who wants to limit  particular string being published via MQTT protocol.

That string has the test "cloud" in it . 

 

I have tried the attached:

 

But doesnt seem to block anything.

 

Not sure if anyone knows how I could achieve this ?

 

Maybe via IPS or something ?

Let me know

Thanks

 

 

 

 

 

 

 

 

Preview file
26 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events