Solved: Re: How do you manage Check Point DNS requests log...

Heath · ‎2025-04-21

We have Check Point gateways and the majority of our log in Umbrella are from our gateways. How are others managing this? It almost makes the Cisco Umbrella logs unusable because the gateway trying to check the DNS to come to a determination if the site is good which then doubles the logs in Umbrella. We also noticed the updatable objects might be causing increased Umbrella logging as well.

Is anyone else dealing with this or have dealt with this issue between Check Point and Cisco Umbrella?

Nüüül · ‎2025-04-22

Thats what i understood, you are already doing 😄

So, as an example:

Gateways are using 208.67.220.220/208.67.222.222 (or for ipv6 2620:119:35::35 / 2620:119:53::53)
- their public IPs are registered as "Network"

internally there are 2 virtual appliances of umbrella installed - lets say 10.0.0.35 and 10.0.0.53
- these are registered to the umbrella account (can be found at "sites and active directory")
- internal servers and so on are using these appliances

With this, gateways can resolve internet destinations via umbrella and umbrella admin can exclude "Network" addresses in their log searches.

Another way would be to use the virtual appliances for your gateways too (depends on how many branches and so on you have). For instance, when you need internal name resolving. The VA sends the internal requesting IP with it´s logs too, so that would be another way to filter.

I hope it is kind of clear what i meant, if not, drop me a dm and we can discuss on your needs and so on.

View solution in original post

Nüüül · ‎2025-04-22

OK, thanks for clarification!

one idea:

configure an internal network with the internal IPs of your gateways. an example is attached as screnshot. now you can set up dns policy (or clone your existing) and match the "identities affected" on the internal network just created and disable logging or set it to security events only.

additional, you might want to have a look at the policy, if you want to have everything running through another filter, especially when logging is disabled, you might run into "strange behaviour", when filtering is active 😉

View solution in original post

the_rock · ‎2025-04-21

Logically, sounds like best option would be to limit whats being logged on CP side, ie maybe disable logging on certain rules that would be causing this. Its been ages since I worked on Cisco umrella, but I dont recall any options to limit something like this on their end.

Andy

Heath · ‎2025-04-21

The abundance of logging is from the Check Point DNS queries to Umbrella which then creates a log for each DNS request in Umbrella. This is causing the logs within Umbrella to be flooded with CP gateway DNS queries. Hopefully that further clarifies the issue we are seeing. Thanks!

PhoneBoy · ‎2025-04-21

The gateway needs to use DNS for various functions.
You could configure the gateway to use a different DNS resolver, but then you might have issues with things like Updatable Objects.

Can't you just disable logging for queries from the gateway on the Cisco Umbrella side?

Heath · ‎2025-04-21

We've done this partially via a service account exclusion since some logs from CP were showing up as originating from our CP service account. The next step is entering in IP exclusions, but we have a lot of IPs to enter from our CP deployments.

I didn't know if anyone else is doing this any differently.

the_rock · ‎2025-04-21

To me, that would seem to be the best way.

Andy

the_rock · ‎2025-04-21

For what its worth, though I have a need to say this now, AI answers should be taken with a grain of salt, but I "ran" your question through chatgpt, since AI Copilot told me this is not strictly CP related, below is what I got from chatgpt.

Andy

**************************

Managing Check Point DNS request logging in Cisco Umbrella typically involves making sure that your DNS traffic — which may originate from Check Point appliances or networks protected by them — is properly redirected to and logged by Cisco Umbrella. Here's how you'd go about setting it up and managing the logging:

🔧 1. Redirect DNS Traffic from Check Point to Cisco Umbrella

To log DNS requests in Cisco Umbrella, you need to ensure that DNS queries from your network are sent to Umbrella's DNS servers:

Cisco Umbrella DNS IPs:
- 208.67.222.222
- 208.67.220.220

✅ On Check Point:

You need to configure the firewall/NAT rules to intercept and redirect DNS queries (UDP/53 and TCP/53) to Umbrella:

Create a NAT Rule:
- Original Source: Internal networks
- Original Destination: Any
- Original Service: DNS (UDP/TCP 53)
- Translated Source: Original
- Translated Destination: Cisco Umbrella DNS IPs
- Translated Service: Original
Create an Access Control Policy Rule to allow the traffic.

Alternatively, use DNS forwarding if you're running a local DNS server — point it to Cisco Umbrella.

📝 2. Enable DNS Logging in Umbrella Dashboard

Once DNS traffic is being sent to Umbrella:

Go to Cisco Umbrella Dashboard → Activity Search.
Make sure your policy is set to log all DNS requests, including allowed and blocked ones.
- Navigate to Policies → choose your policy → Logging.
- Set it to: Log all requests (Full logging)

📈 3. Verify & Monitor Logs

Use the Activity Search and Reports tabs in Umbrella to:

Monitor DNS requests by source IP, identity, domain, or category.
Export logs if needed.
Optionally, configure Log Export to a SIEM using Umbrella’s Log Exporter or Amazon S3 bucket integration.

🔍 4. Troubleshooting Tips

Make sure no DNS queries are bypassing Umbrella (e.g., clients using hardcoded DNS).
Enable DNSCrypt or DNS-over-HTTPS (DoH) on compatible clients for security, if required.
In Check Point, use SmartLog or SmartView to verify that DNS traffic is being NAT-ed correctly.

Heath · ‎2025-04-22

It's certainly working, I've just got too many logs in Umbrella from CP! Thanks again @the_rock !

the_rock · ‎2025-04-22

Well, thank Chatgpt 😉

Nüüül · ‎2025-04-22

Hello

what i understand:

your Check Point gateways are using Umbrella DNS Resolvers for DNS

your internal network is using it´s own (internal) DNS Servers, which then are using Umbrella as "Upstream resolver".

In umbrella both "use cases" are logged (worst, with same configured "identity" as source IP)?

Depending on your umbrella subscription, for your internal dns servers using a umbrella VA as resolver (which then resolves via cisco) might be able to differentiate the requests sources.

For me I am doing something similar with a customer. using a pair of Umbrella VAs as internal resolver and letting their gateways speak directly to umbrella.

At least you can now set a filter on what is interesting to you.

When i got you wrong, please correct me.

Heath · ‎2025-04-22

Very nice, when you say you're letting the gateways use Umbrella directly do you mean you're setting the gateway DNS servers to Umbrella public IPs? Thanks @Nüüül !

Nüüül · ‎2025-04-22

Thats what i understood, you are already doing 😄

So, as an example:

Gateways are using 208.67.220.220/208.67.222.222 (or for ipv6 2620:119:35::35 / 2620:119:53::53)
- their public IPs are registered as "Network"

internally there are 2 virtual appliances of umbrella installed - lets say 10.0.0.35 and 10.0.0.53
- these are registered to the umbrella account (can be found at "sites and active directory")
- internal servers and so on are using these appliances

With this, gateways can resolve internet destinations via umbrella and umbrella admin can exclude "Network" addresses in their log searches.

Another way would be to use the virtual appliances for your gateways too (depends on how many branches and so on you have). For instance, when you need internal name resolving. The VA sends the internal requesting IP with it´s logs too, so that would be another way to filter.

I hope it is kind of clear what i meant, if not, drop me a dm and we can discuss on your needs and so on.

Heath · ‎2025-04-22

We are using the Cisco Umbrella VA's (CUVA) for everything and are getting too many logs in Umbrella. CP is essentially doubling up everything since the CUVA is resolving and the gateways are similarly resolving for their protections, from what I understand, as well as everything else CP is needing to resolve for updatable objects and the like.

When setting up the gateways to use the Umbrella public, instead of the CUVA's, do you see a reduction in Umbrella logs? I think you would and I think this is what we might try to do.

Do you know if it's recommended to use a local DNS resolver for the gateways or does it matter? We've just always used local DNS resolvers since they're setup at all of our locations via the CUVA's since we've deployed Umbrella a couple years back. Thanks again @Nüüül !

Heath · ‎2025-04-22

As a baseline, our Cisco Rep told us we are using 10x the log storage of any other company our size! This is similar to what we are seeing in Umbrella because the logs from the gateways are drowning out all the other user logs in the system.

Nüüül · ‎2025-04-22

OK, thanks for clarification!

one idea:

configure an internal network with the internal IPs of your gateways. an example is attached as screnshot. now you can set up dns policy (or clone your existing) and match the "identities affected" on the internal network just created and disable logging or set it to security events only.

additional, you might want to have a look at the policy, if you want to have everything running through another filter, especially when logging is disabled, you might run into "strange behaviour", when filtering is active 😉

Heath · ‎2025-04-22

Very nice! I like that as another option to the exclusions list you can create. Thanks for taking the time to write that out, much appreciated.

Wolfgang · ‎2025-04-22

It would be nice to hear why you are using CISCOs Umbrella. A lot of the features of Umbrella are also available from Check Point. What are your goals to run with Umbrella?

Heath · ‎2025-04-22

Hybrid workforce and easy integration mainly for our use case; we use Cisco AnyConnect via Cisco Secure Client and Umbrella integrates easily with that Cisco RA VPN solution. Assets on premise could be covered by CP but we don't utilize the Harmony endpoint products with CP.

the_rock · ‎2025-04-22

@Heath Just curious, how do you like Cisco Umbrella? I personally never used it myself..

Andy

Heath · ‎2025-04-22

I really don't have anything to compare it to, but it's been easy to work with and setup. That's actually one product that Cisco has actually integrated well with other products, like the Secure Client agent. This was a big win for us.

the_rock · ‎2025-04-22

K, fair enough, thank you!

Andy

Are you a member of CheckMates?

How do you manage Check Point DNS requests logging in Cisco Umbrella

🔧 1. Redirect DNS Traffic from Check Point to Cisco Umbrella

✅ On Check Point:

📝 2. Enable DNS Logging in Umbrella Dashboard

📈 3. Verify & Monitor Logs

🔍 4. Troubleshooting Tips