This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kb1
Collaborator
‎2021-09-21 10:29 AM

how do go about blocking a particular resource that i see on the ips log?

so i see this log on the checkpoint:

IPS log.PNG

How do i go about blocking this resource "syndication.exoclick.com" on port 53? do i need to create a url rule for that? and how would it look like (we have url filtering blade enabled but not https inspection, categorize https inspection is enabled though). And if not url filtering then how else would i block it?

 

Thank You.

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2021-09-21 10:54 AM

Just my personal opinion...what I would do is create a rule that has a source as custom application/site object and in there, simply add under url list *syndication.exoclick* 

I find that doing it that way works 100% of the time, at least from my experience. Slap that as the source, destination any, action block, log and thats it.

 

Andy

Best,
Andy
0 Kudos
kb1
Collaborator
‎2021-09-21 11:01 AM
In response to the_rock

Thanks for replying but shouldn't it be a destination? You say source but it should be destination right?and source should be our internal network? And service selected should be 53?

And just to be clear *syndication.exoclick* will cover the "syndication.exoclick.com" url?

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-09-21 11:06 AM
In response to kb1

Yes, but my apologies, my first reply is wrong, my bad.

Let me rephrase that...you cant do it as source or dst, you do it under service/application tabs...need more coffee :)). So once you had created that custom app/site, you have a rule like this, just tested it in my lab:

source -> any

destination -> Internet

vpn -> any

services & application -> custom app/site object you create (I named it sundication.exoclick and in "match by" I simply added *syndication.exoclick* and yes, 100% covers anything or any sub domain for that. Its literally if you wanted to block anything facebook under the sun, you could do the same *facebook*. I tried it many times and works like a charm.

action -> block

track -> log

If you have any issues, hit me up and we can do remote.

Best,
Andy
0 Kudos
kb1
Collaborator
‎2021-09-21 11:08 AM
In response to the_rock

Oh thank you once again for the quick reply, I will try it out and update here and if it doesn't work I will reach out to you thanks!

the_rock
MVP Platinum
MVP Platinum
‎2021-09-21 11:09 AM
In response to kb1

Any time!

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2021-09-21 11:17 AM
In response to kb1

Forgot to mention, yes, you can also add services to rule like that, so if you ONLY wish to block service with port 53, you can do so, no problem...BUT, just be vigilant not to inadvertently block access to important service for network that should have it, thats all.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-21 11:47 AM

Using a custom application/site won’t work for things that aren’t http/https.
It is the sort of thing enabling DNS Trap will help with, which basically rewrites these lookups to “trap” IP addresses.
Note that prior to R81, these events show up as Detect even though they are effectively prevented.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events