Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jagan23
Explorer

Issues with fail open settings

The current configuration is a fail-open which means that the traffic will be allowed in case the URL will be unknown.

 

Changing to a fail-close will have impact on all the environment since all the HTTPS traffic toward website with unknown reputation will be blocked until the checkpoint receive a status on those websites.

 

We are getting bombarded with alerts from SOC, when ever a user logins to a DC, stating that he has accessed a malicious URL.

 

I believe this is because of the fail-open settings. Is there any customization that can be done to prevent this from happening. Please check and let me know.

 

Some of the URL's reported are below,

 

media[.]jtdwjcwq6f4wp4ce[.]com

 

ns1[.]telecom-info[.]com

 

 

0 Kudos
16 Replies
PhoneBoy
Admin
Admin

The fail open/closed settings apply when you cannot reach the URL Filtering backend (or some other error related).
Uncategorized URLs can be blocked, but this is done in the Access Policy.

One of the URLs reported definitely looks suspicious:

image.png

0 Kudos
Jagan23
Explorer

That is some of the URL's I listed. I think this is happening when ever domain controllers do DNS query. Since we have fail-open setting all the URL's are allowed. Is there a way to specifically block these malicious URL while doing DNS queries. Please let me know.

0 Kudos
PhoneBoy
Admin
Admin

The Anti-Virus DNS Trap feature.
https://support.checkpoint.com/results/sk/sk74060 

0 Kudos
Jagan23
Explorer

Thank you so much. I will try this and let you know if it works.

0 Kudos
Lesley
Leader Leader
Leader

I don't get this part:

when ever a user logins to a DC, stating that he has accessed a malicious URL

How does the drop look on the firewall? I assume it is dropped there? Or how does it look what this SOC is getting?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Jagan23
Explorer

Most of the connections are dropped but some are being allowed. The problem is we keep getting these alerts from SOC every two days once. Mostly the source points to a Domain controller. And when we checked with the username mentioned by the SOC the user is not aware of visiting any such URL's. The username is captured based on who logged into the DC at that specific duration. I have attached the SOC details for reference.

0 Kudos
PhoneBoy
Admin
Admin

I assume this Domain Controller is used by your clients as their DNS server.
Unless the gateway can see the client making the DNS request, it has no way of knowing who made the request in this case.
It logs the information it has at the time, namely whichever admin is logged into the system at the time.

0 Kudos
Jagan23
Explorer

Yes this is absolutely right. That is what happening and we are unable to see who is making those DNS requests

0 Kudos
Lesley
Leader Leader
Leader

What Phoneboy stated. Is this the flow?

Client -> dns request -> DC server -> DC sends DNS requested to it's forward DNS (this traffic will pass via firewall)

SOC get's logs from firewall and DC? Or only firewall? I think IA blade will see the user's logged into DC. But they have nothing to do with the traffic because it is not send by them. Also I hope users do not login to the actual DC server itself right? (with rdp)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Jagan23
Explorer

The flow is correct. The log source is only from Firewall. People login to DC using RDP. That's when these DNS queries are taking place.

0 Kudos
PhoneBoy
Admin
Admin

For any system where multiple users are involved, you need to install the Multi-User Host agent (MUHv2).
Whether they should be logging directly into the Domain Controller is a separate question.

0 Kudos
Jagan23
Explorer

Thanks for the response. So, the only option to see who is making those DNS requests is through gateway. Please advise.

0 Kudos
PhoneBoy
Admin
Admin

If you want to see who made a specific DNS request, that request must traverse the gateway before it reaches the DNS server (either internal or external).
And, of course, Identity Awareness is configured and working.

0 Kudos
the_rock
Legend
Legend

Just curious, did this ever work right with the same settings...or no?

Andy

0 Kudos
Jagan23
Explorer

I am not sure. I joined this organization recently and I am onboarding systems to our new SOC vendor. That's when I started to see these alerts. But I am unable to find anything in firewall. However, when the email comes from SOC they say the log source is checkpoint.

the_rock
Legend
Legend

I would follow what Phoneboy gave...

Andy

https://support.checkpoint.com/results/sk/sk74060

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events