Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Platinum

Block unknown protocol

Forgive me the probably idiotic question but what is the best way to block this:

 
 

unknproto.PNG

 

0 Kudos
4 Replies
Highlighted
Employee++
Employee++

 

Depending on the specifics you may wish to explore TCP service advanced options further e.g.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945

Highlighted

Protocol signatures are used in part of PSL/PXL.

Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.

If you set the protocol it will be analyzed by PSL/PXL to specify the protocol type such as http, ftp, imap, etc. 

More read here:

R80.x Security Gateway Architecture (Content Inspection)

Tags (1)
Highlighted
Admin
Admin

What about using the Application Control signature "Unknown Traffic" in a drop rule?
Highlighted
Platinum

Yeah, I am sorry I forgot to follow up.

I added both Unknown Traffic application signature and Unknown Traffic application category to a drop rule and that sorted out this issue. 

Thank you all for your recommendations.

0 Kudos