Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kb1
Collaborator

how do go about blocking a particular resource that i see on the ips log?

so i see this log on the checkpoint:

IPS log.PNG

How do i go about blocking this resource "syndication.exoclick.com" on port 53? do i need to create a url rule for that? and how would it look like (we have url filtering blade enabled but not https inspection, categorize https inspection is enabled though). And if not url filtering then how else would i block it?

 

Thank You.

0 Kudos
7 Replies
the_rock
Authority
Authority

Just my personal opinion...what I would do is create a rule that has a source as custom application/site object and in there, simply add under url list *syndication.exoclick* 

I find that doing it that way works 100% of the time, at least from my experience. Slap that as the source, destination any, action block, log and thats it.

 

Andy

0 Kudos
kb1
Collaborator

Thanks for replying but shouldn't it be a destination? You say source but it should be destination right?and source should be our internal network? And service selected should be 53?

And just to be clear *syndication.exoclick* will cover the "syndication.exoclick.com" url?

0 Kudos
the_rock
Authority
Authority

Yes, but my apologies, my first reply is wrong, my bad.

Let me rephrase that...you cant do it as source or dst, you do it under service/application tabs...need more coffee :)). So once you had created that custom app/site, you have a rule like this, just tested it in my lab:

source -> any

destination -> Internet

vpn -> any

services & application -> custom app/site object you create (I named it sundication.exoclick and in "match by" I simply added *syndication.exoclick* and yes, 100% covers anything or any sub domain for that. Its literally if you wanted to block anything facebook under the sun, you could do the same *facebook*. I tried it many times and works like a charm.

action -> block

track -> log

If you have any issues, hit me up and we can do remote.

0 Kudos
kb1
Collaborator

Oh thank you once again for the quick reply, I will try it out and update here and if it doesn't work I will reach out to you thanks!

the_rock
Authority
Authority

Any time!

0 Kudos
the_rock
Authority
Authority

Forgot to mention, yes, you can also add services to rule like that, so if you ONLY wish to block service with port 53, you can do so, no problem...BUT, just be vigilant not to inadvertently block access to important service for network that should have it, thats all.

0 Kudos
PhoneBoy
Admin
Admin

Using a custom application/site won’t work for things that aren’t http/https.
It is the sort of thing enabling DNS Trap will help with, which basically rewrites these lookups to “trap” IP addresses.
Note that prior to R81, these events show up as Detect even though they are effectively prevented.

0 Kudos