Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Block unknown protocol

Forgive me the probably idiotic question but what is the best way to block this:

 
 

unknproto.PNG

 

0 Kudos
4 Replies
Chris_Atkinson
Employee Employee
Employee

 

Depending on the specifics you may wish to explore TCP service advanced options further e.g.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945

CCSM R77/R80/ELITE
HeikoAnkenbrand
Champion Champion
Champion

Protocol signatures are used in part of PSL/PXL.

Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.

If you set the protocol it will be analyzed by PSL/PXL to specify the protocol type such as http, ftp, imap, etc. 

More read here:

R80.x Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
PhoneBoy
Admin
Admin

What about using the Application Control signature "Unknown Traffic" in a drop rule?
HristoGrigorov

Yeah, I am sorry I forgot to follow up.

I added both Unknown Traffic application signature and Unknown Traffic application category to a drop rule and that sorted out this issue. 

Thank you all for your recommendations.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events