This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gingerwerewolf
Contributor
a week ago
Jump to solution

When does Reverse DNS Lookup Occur? - Log Server

Good morning all

A Quick question for you all

When does the reverse DNS lookup of an IP address occur with regards to the Logs?

To be very specific - Im talking about an IP address that has no object associated with it in the SMS Database, on an environment that does not have Identity Awareness enabled.

Ive got a specific question with regards to this that may assist in explaining my question further:

Environment has the following basic Setup:

Traffic Flow

Client Laptop ==> Internet Raw ==> External Firewall (NON Check Point) ==> DMZ VPN Concentrator (NON Check Point) ==> A-GW Internal Check Point R81.20 ==> "Internal LAN"

(Of note, Active Directory DCs and the SMS reside in the "Internal LAN"

The Client Dials in to the DMZ VPN Concentrator, and is given an "Client DMZ IP" 192.168.0.X (Reminder this is NOT a Check Point Device and doesnt have Logs that I as the CP admin can access)

That "Client DMZ IP" 192.168.0.X is part of a Network Object (DMZ_Client_VPN_Range - 192.168.0.0/24) on the Firewall - so the only Object in the SMS database is that Network. I

There are Rules on the Policy that allow Traffic from the above Network Object (DMZ_Client_VPN_Range - 192.168.0.0/24) to a variety of servers on the "Internal Network" especially the AD DC servers.

All DNS settings on all devices point to the AD DC Servers as they are all DNS servers.

When I as a SMS Admin look at the logs, the source of the traffic flowing through A-GW shows up and has had a reverse lookup done on it.

Where, and more importantly WHEN is that DNS reverse lookup performed

The reason I ask, is since the DMZ VPN Concentrator is able to give out IPs as it needs to, I need to understand where the LOG gets the info from, and if it changes dependent on when I look at the logs:-

Is it written into the Log by the Gateway, or the SMS upon arrival of the Log file from the Gateway?
Is it looked up the first time I look at the logs but then stored to the Log File? Thus if I look at a log for the first time 24 hours after the entry was taken, then it will show me the last computer to have that IP address which is not nessisarily the one that made the entry?
Is it looked up whenever I view the logs and as such could change as the DNS entry is updated?

I know the solution is to get Identity Awareness and I plan on pushing that (again!) but in the mean time, a bit of understanding would assist a lot!

Thanks!

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
a week ago
Jump to solution

We do not log the DNS names, only the IPs, which I believe are resolved by the management when the logs are viewed.

View solution in original post

2 Replies
PhoneBoy
Admin
Admin
a week ago
Jump to solution

We do not log the DNS names, only the IPs, which I believe are resolved by the management when the logs are viewed.

Gingerwerewolf
Contributor
a week ago
In response to PhoneBoy
Jump to solution

Yeah thats what I was thinking - and as such we have to be carefull when we give out the information to the Security Team.

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events