This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
Mentor
Mentor
‎2020-05-21 08:51 AM

Block unknown protocol

Forgive me the probably idiotic question but what is the best way to block this:

 
 

unknproto.PNG

 

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-05-21 10:44 PM

 

Depending on the specifics you may wish to explore TCP service advanced options further e.g.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945

CCSM R77/R80/ELITE
HeikoAnkenbrand
Champion Champion
Champion
‎2020-05-21 11:08 PM

Protocol signatures are used in part of PSL/PXL.

Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.

If you set the protocol it will be analyzed by PSL/PXL to specify the protocol type such as http, ftp, imap, etc. 

More read here:

R80.x Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin
‎2020-05-24 09:33 PM

What about using the Application Control signature "Unknown Traffic" in a drop rule?
HristoGrigorov
Mentor
Mentor
‎2020-05-24 09:39 PM
In response to PhoneBoy

Yeah, I am sorry I forgot to follow up.

I added both Unknown Traffic application signature and Unknown Traffic application category to a drop rule and that sorted out this issue. 

Thank you all for your recommendations.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events