This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath
Collaborator
‎2025-04-21 12:19 PM
Jump to solution

How do you manage Check Point DNS requests logging in Cisco Umbrella

We have Check Point gateways and the majority of our log in Umbrella are from our gateways. How are others managing this? It almost makes the Cisco Umbrella logs unusable because the gateway trying to check the DNS to come to a determination if the site is good which then doubles the logs in Umbrella. We also noticed the updatable objects might be causing increased Umbrella logging as well.

Is anyone else dealing with this or have dealt with this issue between Check Point and Cisco Umbrella?

0 Kudos
2 Solutions

Accepted Solutions
Nüüül
Advisor
Advisor
‎2025-04-22 07:59 AM
In response to Heath
Jump to solution

Thats what i understood, you are already doing 😄

So, as an example:

Gateways are using 208.67.220.220/208.67.222.222 (or for ipv6 2620:119:35::35 / 2620:119:53::53)
- their public IPs are registered as "Network" 


internally there are 2 virtual appliances of umbrella installed - lets say 10.0.0.35 and 10.0.0.53
- these are registered to the umbrella account (can be found at "sites and active directory")
- internal servers and so on are using these appliances 

With this, gateways can resolve internet destinations via umbrella and umbrella admin can exclude "Network" addresses in their log searches.

 

Another way would be to use the virtual appliances for your gateways too (depends on how many branches and so on you have). For instance, when you need internal name resolving. The VA sends the internal requesting IP with it´s logs too, so that would be another way to filter.

 

I hope it is kind of clear what i meant, if not, drop me a dm and we can discuss on your needs and so on.

 

 

 

View solution in original post

Nüüül
Advisor
Advisor
‎2025-04-22 08:25 AM
In response to Heath
Jump to solution

OK, thanks for clarification!

one idea:

configure an internal network with the internal IPs of your gateways. an example is attached as screnshot. now you can set up dns policy (or clone your existing) and match the "identities affected" on the internal network just created and disable logging or set it to security events only.

 

additional, you might want to have a look at the policy, if you want to have everything running through another filter, especially when logging is disabled, you might run into "strange behaviour", when filtering is active 😉

 

 

View solution in original post

Preview file
39 KB
Preview file
135 KB
(1)
20 Replies
the_rock
Legend
Legend
‎2025-04-21 12:47 PM
Jump to solution

Logically, sounds like best option would be to limit whats being logged on CP side, ie maybe disable logging on certain rules that would be causing this. Its been ages since I worked on Cisco umrella, but I dont recall any options to limit something like this on their end.

Andy

0 Kudos
Heath
Collaborator
‎2025-04-21 12:50 PM
In response to the_rock
Jump to solution

The abundance of logging is from the Check Point DNS queries to Umbrella which then creates a log for each DNS request in Umbrella. This is causing the logs within Umbrella to be flooded with CP gateway DNS queries. Hopefully that further clarifies the issue we are seeing. Thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-21 01:05 PM
Jump to solution

The gateway needs to use DNS for various functions.
You could configure the gateway to use a different DNS resolver, but then you might have issues with things like Updatable Objects.

Can't you just disable logging for queries from the gateway on the Cisco Umbrella side?

0 Kudos
Heath
Collaborator
‎2025-04-21 01:10 PM
In response to PhoneBoy
Jump to solution

We've done this partially via a service account exclusion since some logs from CP were showing up as originating from our CP service account. The next step is entering in IP exclusions, but we have a lot of IPs to enter from our CP deployments.

I didn't know if anyone else is doing this any differently.

0 Kudos
the_rock
Legend
Legend
‎2025-04-21 03:02 PM
In response to Heath
Jump to solution

To me, that would seem to be the best way.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-04-21 06:05 PM
Jump to solution

For what its worth, though I have a need to say this now, AI answers should be taken with a grain of salt, but I "ran" your question through chatgpt, since AI Copilot told me this is not strictly CP related, below is what I got from chatgpt.

Andy

**************************

Managing Check Point DNS request logging in Cisco Umbrella typically involves making sure that your DNS traffic — which may originate from Check Point appliances or networks protected by them — is properly redirected to and logged by Cisco Umbrella. Here's how you'd go about setting it up and managing the logging:

🔧 1. Redirect DNS Traffic from Check Point to Cisco Umbrella

To log DNS requests in Cisco Umbrella, you need to ensure that DNS queries from your network are sent to Umbrella's DNS servers:

  • Cisco Umbrella DNS IPs:

    • 208.67.222.222

    • 208.67.220.220

On Check Point:

You need to configure the firewall/NAT rules to intercept and redirect DNS queries (UDP/53 and TCP/53) to Umbrella:

  • Create a NAT Rule:

    • Original Source: Internal networks

    • Original Destination: Any

    • Original Service: DNS (UDP/TCP 53)

    • Translated Source: Original

    • Translated Destination: Cisco Umbrella DNS IPs

    • Translated Service: Original

  • Create an Access Control Policy Rule to allow the traffic.

Alternatively, use DNS forwarding if you're running a local DNS server — point it to Cisco Umbrella.

📝 2. Enable DNS Logging in Umbrella Dashboard

Once DNS traffic is being sent to Umbrella:

  • Go to Cisco Umbrella DashboardActivity Search.

  • Make sure your policy is set to log all DNS requests, including allowed and blocked ones.

    • Navigate to Policies → choose your policy → Logging.

    • Set it to: Log all requests (Full logging)

📈 3. Verify & Monitor Logs

Use the Activity Search and Reports tabs in Umbrella to:

  • Monitor DNS requests by source IP, identity, domain, or category.

  • Export logs if needed.

  • Optionally, configure Log Export to a SIEM using Umbrella’s Log Exporter or Amazon S3 bucket integration.

🔍 4. Troubleshooting Tips

  • Make sure no DNS queries are bypassing Umbrella (e.g., clients using hardcoded DNS).

  • Enable DNSCrypt or DNS-over-HTTPS (DoH) on compatible clients for security, if required.

  • In Check Point, use SmartLog or SmartView to verify that DNS traffic is being NAT-ed correctly.

0 Kudos
Heath
Collaborator
‎2025-04-22 07:35 AM
In response to the_rock
Jump to solution

It's certainly working, I've just got too many logs in Umbrella from CP! Thanks again @the_rock !

0 Kudos
the_rock
Legend
Legend
‎2025-04-22 07:39 AM
In response to Heath
Jump to solution

Well, thank Chatgpt 😉

0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-22 05:46 AM
Jump to solution

Hello

 

what i understand:

your Check Point gateways are using Umbrella DNS Resolvers for DNS

your internal network is using it´s own (internal) DNS Servers, which then are using Umbrella as "Upstream resolver". 

 

In umbrella both "use cases" are logged (worst, with same configured "identity" as source IP)?

 

Depending on your umbrella subscription, for your internal dns servers using a umbrella VA as resolver (which then resolves via cisco) might be able to differentiate the requests sources.

 

For me I am doing something similar with a customer. using a pair of Umbrella VAs as internal resolver and letting their gateways speak directly to umbrella.

At least you can now set a filter on what is interesting to you. 

 

When i got you wrong, please correct me.

Heath
Collaborator
‎2025-04-22 07:37 AM
In response to Nüüül
Jump to solution

Very nice, when you say you're letting the gateways use Umbrella directly do you mean you're setting the gateway DNS servers to Umbrella public IPs? Thanks @Nüüül !

0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-22 07:59 AM
In response to Heath
Jump to solution

Thats what i understood, you are already doing 😄

So, as an example:

Gateways are using 208.67.220.220/208.67.222.222 (or for ipv6 2620:119:35::35 / 2620:119:53::53)
- their public IPs are registered as "Network" 


internally there are 2 virtual appliances of umbrella installed - lets say 10.0.0.35 and 10.0.0.53
- these are registered to the umbrella account (can be found at "sites and active directory")
- internal servers and so on are using these appliances 

With this, gateways can resolve internet destinations via umbrella and umbrella admin can exclude "Network" addresses in their log searches.

 

Another way would be to use the virtual appliances for your gateways too (depends on how many branches and so on you have). For instance, when you need internal name resolving. The VA sends the internal requesting IP with it´s logs too, so that would be another way to filter.

 

I hope it is kind of clear what i meant, if not, drop me a dm and we can discuss on your needs and so on.

 

 

 

Heath
Collaborator
‎2025-04-22 08:05 AM
In response to Nüüül
Jump to solution

We are using the Cisco Umbrella VA's  (CUVA) for everything and are getting too many logs in Umbrella. CP is essentially doubling up everything since the CUVA is resolving and the gateways are similarly resolving for their protections, from what I understand, as well as everything else CP is needing to resolve for updatable objects and the like.

When setting up the gateways to use the Umbrella public, instead of the CUVA's, do you see a reduction in Umbrella logs? I think you would and I think this is what we might try to do. 

Do you know if it's recommended to use a local DNS resolver for the gateways or does it matter? We've just always used local DNS resolvers since they're setup at all of our locations via the CUVA's since we've deployed Umbrella a couple years back. Thanks again @Nüüül !

0 Kudos
Heath
Collaborator
‎2025-04-22 08:07 AM
In response to Heath
Jump to solution

As a baseline, our Cisco Rep told us we are using 10x the log storage of any other company our size! This is similar to what we are seeing in Umbrella because the logs from the gateways are drowning out all the other user logs in the system.

0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-22 08:25 AM
In response to Heath
Jump to solution

OK, thanks for clarification!

one idea:

configure an internal network with the internal IPs of your gateways. an example is attached as screnshot. now you can set up dns policy (or clone your existing) and match the "identities affected" on the internal network just created and disable logging or set it to security events only.

 

additional, you might want to have a look at the policy, if you want to have everything running through another filter, especially when logging is disabled, you might run into "strange behaviour", when filtering is active 😉

 

 

Preview file
39 KB
Preview file
135 KB
(1)
Heath
Collaborator
‎2025-04-22 08:29 AM
In response to Nüüül
Jump to solution

Very nice! I like that as another option to the exclusions list you can create. Thanks for taking the time to write that out, much appreciated.

0 Kudos
Wolfgang
Authority
Authority
‎2025-04-22 01:20 PM
Jump to solution

It would be nice to hear why you are using CISCOs Umbrella. A lot of the features of Umbrella are also available from Check Point. What are your goals to run with Umbrella?

0 Kudos
Heath
Collaborator
‎2025-04-22 02:39 PM
In response to Wolfgang
Jump to solution

Hybrid workforce and easy integration mainly for our use case; we use Cisco AnyConnect via Cisco Secure Client and Umbrella integrates easily with that Cisco RA VPN solution. Assets on premise could be covered by CP but we don't utilize the Harmony endpoint products with CP.

the_rock
Legend
Legend
‎2025-04-22 02:48 PM
In response to Heath
Jump to solution

@Heath Just curious, how do you like Cisco Umbrella? I personally never used it myself..

Andy

0 Kudos
Heath
Collaborator
‎2025-04-22 02:55 PM
In response to the_rock
Jump to solution

I really don't have anything to compare it to, but it's been easy to work with and setup. That's actually one product that Cisco has actually integrated well with other products, like the Secure Client agent. This was a big win for us.

the_rock
Legend
Legend
‎2025-04-22 03:01 PM
In response to Heath
Jump to solution

K, fair enough, thank you!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events