Re: Block unknown protocol

HristoGrigorov · ‎2020-05-21

Forgive me the probably idiotic question but what is the best way to block this:

Chris_Atkinson · ‎2020-05-21

Depending on the specifics you may wish to explore TCP service advanced options further e.g.

Protocol Signature - A unique signature created by Check Point for each protocol and stored on the gateway. The signature identifies the protocol as genuine. Select this option to limit the port to the specified protocol.

Refer: https://community.checkpoint.com/t5/General-Topics/Protocol-Signatures/m-p/54945

CCSM R77/R80/ELITE

HeikoAnkenbrand · ‎2020-05-21

Protocol signatures are used in part of PSL/PXL.

Packets may arrive out of order or may be legitimate retransmissions of packets that have not yet received an acknowledgment. In some cases a retransmission may also be a deliberate attempt to evade IPS detection by sending the malicious payload in the retransmission. Security Gateway ensures that only valid packets are allowed to proceed to destinations. It does this with Passive Streaming Library (PSL) technology.

If you set the protocol it will be analyzed by PSL/PXL to specify the protocol type such as http, ftp, imap, etc.

More read here:

R80.x Security Gateway Architecture (Content Inspection)

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

PhoneBoy · ‎2020-05-24

What about using the Application Control signature "Unknown Traffic" in a drop rule?

HristoGrigorov · ‎2020-05-24

Yeah, I am sorry I forgot to follow up.

I added both Unknown Traffic application signature and Unknown Traffic application category to a drop rule and that sorted out this issue.

Thank you all for your recommendations.

Are you a member of CheckMates?

Block unknown protocol