This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jagan23
Explorer
2 weeks ago

Issues with fail open settings

The current configuration is a fail-open which means that the traffic will be allowed in case the URL will be unknown.

 

Changing to a fail-close will have impact on all the environment since all the HTTPS traffic toward website with unknown reputation will be blocked until the checkpoint receive a status on those websites.

 

We are getting bombarded with alerts from SOC, when ever a user logins to a DC, stating that he has accessed a malicious URL.

 

I believe this is because of the fail-open settings. Is there any customization that can be done to prevent this from happening. Please check and let me know.

 

Some of the URL's reported are below,

 

media[.]jtdwjcwq6f4wp4ce[.]com

 

ns1[.]telecom-info[.]com

 

 

Preview file
109 KB
0 Kudos
16 Replies
PhoneBoy
Admin
Admin
2 weeks ago

The fail open/closed settings apply when you cannot reach the URL Filtering backend (or some other error related).
Uncategorized URLs can be blocked, but this is done in the Access Policy.

One of the URLs reported definitely looks suspicious:

image.png

0 Kudos
Jagan23
Explorer
2 weeks ago
In response to PhoneBoy

That is some of the URL's I listed. I think this is happening when ever domain controllers do DNS query. Since we have fail-open setting all the URL's are allowed. Is there a way to specifically block these malicious URL while doing DNS queries. Please let me know.

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Jagan23

The Anti-Virus DNS Trap feature.
https://support.checkpoint.com/results/sk/sk74060 

0 Kudos
Jagan23
Explorer
Monday
In response to PhoneBoy

Thank you so much. I will try this and let you know if it works.

0 Kudos
Lesley
Advisor
Advisor
2 weeks ago

I don't get this part:

when ever a user logins to a DC, stating that he has accessed a malicious URL

How does the drop look on the firewall? I assume it is dropped there? Or how does it look what this SOC is getting?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Jagan23
Explorer
Monday
In response to Lesley

Most of the connections are dropped but some are being allowed. The problem is we keep getting these alerts from SOC every two days once. Mostly the source points to a Domain controller. And when we checked with the username mentioned by the SOC the user is not aware of visiting any such URL's. The username is captured based on who logged into the DC at that specific duration. I have attached the SOC details for reference.

Preview file
31 KB
0 Kudos
PhoneBoy
Admin
Admin
Monday
In response to Jagan23

I assume this Domain Controller is used by your clients as their DNS server.
Unless the gateway can see the client making the DNS request, it has no way of knowing who made the request in this case.
It logs the information it has at the time, namely whichever admin is logged into the system at the time.

0 Kudos
Jagan23
Explorer
Wednesday
In response to PhoneBoy

Yes this is absolutely right. That is what happening and we are unable to see who is making those DNS requests

0 Kudos
Lesley
Advisor
Advisor
Monday
In response to Jagan23

What Phoneboy stated. Is this the flow?

Client -> dns request -> DC server -> DC sends DNS requested to it's forward DNS (this traffic will pass via firewall)

SOC get's logs from firewall and DC? Or only firewall? I think IA blade will see the user's logged into DC. But they have nothing to do with the traffic because it is not send by them. Also I hope users do not login to the actual DC server itself right? (with rdp)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Jagan23
Explorer
Wednesday
In response to Lesley

The flow is correct. The log source is only from Firewall. People login to DC using RDP. That's when these DNS queries are taking place.

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to Jagan23

For any system where multiple users are involved, you need to install the Multi-User Host agent (MUHv2).
Whether they should be logging directly into the Domain Controller is a separate question.

0 Kudos
Jagan23
Explorer
Wednesday
In response to PhoneBoy

Thanks for the response. So, the only option to see who is making those DNS requests is through gateway. Please advise.

0 Kudos
PhoneBoy
Admin
Admin
Wednesday
In response to Jagan23

If you want to see who made a specific DNS request, that request must traverse the gateway before it reaches the DNS server (either internal or external).
And, of course, Identity Awareness is configured and working.

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Jagan23

Just curious, did this ever work right with the same settings...or no?

Andy

0 Kudos
Jagan23
Explorer
Wednesday
In response to the_rock

I am not sure. I joined this organization recently and I am onboarding systems to our new SOC vendor. That's when I started to see these alerts. But I am unable to find anything in firewall. However, when the email comes from SOC they say the log source is checkpoint.

the_rock
Legend
Legend
Wednesday
In response to Jagan23

I would follow what Phoneboy gave...

Andy

https://support.checkpoint.com/results/sk/sk74060

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events