Block IP but not FQDN

h2k · ‎2021-12-15

Hi Checkmates,

Can we block the network traffic to the IP, but allow if the traffic is pointing to a FQDN?

The idea here is to block the scanners looking for public IPs for open ports.

If so, ho can we achieve that ? The software version used here is R80.40

Thanks,

Hari

Bob_Zimmerman · ‎2021-12-15

There's not a way to do that, no. Connections are always to an IP address. The firewall can't tell if somebody else got the IP address by picking a number or by looking up a name.

You could set up canary ports or addresses. For example, if a client out on the Internet tries to connect to port 80 when you only offer HTTPS, block them for some period of time. Or reserve an IP at the end of your address range and declare it will never be used, and never put in DNS. Then if a client tries to connect, you know it's a scan and you can block them. They will get results until they hit the canary, but that's probably not avoidable.

h2k · ‎2021-12-15

Thanks! Do we have any other best practices to detect and block the suspicious traffic?

Wolfgang · ‎2021-12-15

You can use SmartEvent to block those scanners. There is a protection available to block scanners for time x if detected.

h2k · ‎2021-12-15

Thanks! What are the best practices to implement SmartEvent within Checkpoint?

Are you a member of CheckMates?

Block IP but not FQDN