This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Narsimha_Rao_Ko
Participant
‎2018-06-29 05:55 AM

R80.10 Features

I have the following queries regarding some of the limitations of Checkcpoint. Please clarify if you are aware of the solutions:

  • Is it possible to block the DNS request for the particular malicious domain instead of blocking the entire external dns communication. The rule should be source:Internal DNS server, destination:External DNS server, domain:malicious domain, service:udp/53, action:block
  • I was trying to integrate the Sandblast logs to the local log server. Once integrated local firewall daemon crashing continuously. What we need is only logs/alerts related to malicious attachments/urls instead of all the beningn verdict logs. I don't see any such configuration feature in the Sandblast portal.
  • We are developing our own portal so we are using log exporter tool to export all the logs from the log server. We also want to export gateway health/traffic statistics to our portal. Is there any API funtionality available for the same.

Thanks,

KNRao

0 Kudos
Reply
3 Replies
Kim_Moberg
Advisor
‎2018-06-30 07:36 AM

I am not sure you can blok specific domain but together with IPS and Anti-not blades enabled you can use DNS Trap and the anti-bot uses dns reputation services that will automatically block access to known domains which are affected. 

Basically my understanding of how it works. You you dont already have these blades enabled I would recommend it on perimeter firewall.

On clients use Sandblast Agent or better the full endpoint suite. Really strong products.

Best regards

Kim

Best Regards
Kim
0 Kudos
Reply
Charris_Lappas
Collaborator
‎2018-06-30 11:15 AM

It all depends whether the domain is already classified by Checkpoint as being DNS bad reputation. C&C and so on.If this is the case with the enabling of DNS trap SK74060 will block this communication. Checkpoint has added a lot features under the Threat Protection. URL filtering, Application control, DNS Trap, DNS reputation, IP reputations are really helpful and provide a multi layer protection.

In the case that a DNS entry is not classified by Checkpoint but you want to block DNS requests for a specific DNS entry I can suggest the following:

a) Follow the SK74060

b) Block all direct client DNS requests to the Internet.

c) Configure all your clients to use your Internal DNS server.

d) Add a DNS entry to the Host file of your DNS server with the Bogus IP.

In this way, your clients will be forced to use only your Internal DNS server and in the case that they query the DNS entry of your customised "malicious" domain you will have an exact log of who that client requested that log.

Having that log is very important in order to pinpoint which client is making this request.

Thanks,

Charris Lappas

0 Kudos
Reply