This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VarunTP
Participant
Wednesday

Threat Prevention Exception Failing to Bypass Malware DNS Trap

 

We are trying to run a phishing training simulation, but the test links are being blocked by the Check Point firewall.

Although we have already configured rules in Access Control and added exceptions in Threat Prevention, the traffic is still getting blocked at the DNS layer. Our troubleshooting shows that the gateway's Malware DNS Trap (under Profiles → Optimized) is intercepting the requests and sinkholing the domains.

Since there isn't a straightforward "exception" button inside that specific DNS Trap profile menu, we need to implement an alternative workaround—either by Whitelisting the specific external IP addresses of the phishing infrastructure directly inside our exception rule

Preview file
42 KB
Preview file
144 KB
0 Kudos
8 Replies
simonemantovani
MVP Gold
MVP Gold
Wednesday

Hello

did you take a look at this SK? https://support.checkpoint.com/results/sk/sk74060

0 Kudos
VarunTP
Participant
Wednesday
In response to simonemantovani

Thanks I have checked this and configured exception policy , But still the same 

0 Kudos
simonemantovani
MVP Gold
MVP Gold
Wednesday
In response to VarunTP

Could you post the screenshots of the exception you created? What is the the test link used?

0 Kudos
VarunTP
Participant
Wednesday
In response to simonemantovani

C:\Users\>nslookup sharepointle.com
Server: x.x.org
Address: x.x.x.x

Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: sharepointle.com
Address: 62.0.58.94


C:\Users\>

Preview file
35 KB
0 Kudos
simonemantovani
MVP Gold
MVP Gold
Wednesday
In response to VarunTP

Looks good, could you post the content of Phishing_Simulation and also paste, in text format, one log line of the dropped traffic?

thanks.

0 Kudos
VarunTP
Participant
Wednesday
In response to simonemantovani

That's actually a different team is doing, which I don't have access, Can I uncheck the Activate DNS trap ? how much impact will be there , We do have defender for malware protection ?



This is what Firewall logs says when I click on the link 

Connection to DNS trap bogus IP. See sk74060 for more information. Access to site known to contain malware

Time: 2026-06-01T12:14:38Z
Interface Direction: inbound
Interface Name: bond0.151
Id: 31c63e26-93f0-43d1-6a1d-77ae0000000c
Sequencenum: 8
Threat Prevention Policy: INT-FW-SG1
Threat Prevention Policy Date:2026-05-29T10:13:01Z
Source: 192.168.x.x
Source Port: 51203
Destination Country: Israel
Destination: 62.0.58.94
Destination Port: 443
IP Protocol: 6
Session Identification Number:0x6a1d77ae,0xc,0x263ec631,0xd143f093
Protection Name: Phishing.TC.d942HVJn
Description: Connection to DNS trap bogus IP. See sk74060 for more information.
Confidence Level: High
Severity: Medium
Malware Action: Access to site known to contain malware
Protection Type: DNS Trap
Threat Prevention Rule ID: 5BD0A968-B0FD-4458-9356-0CFEC7BFB41A
Protection ID: 0043C0980
Log ID: 2
Scope: 192.168.x.x
Member Id: 1_2
Action: Prevent
Type: Log
Policy Name: INT-FW-SG1
Policy Management: OPCW-CHKPMGMT-01
Db Tag: {D31E9709-BC98-464E-B690-464BED5AE43E}
Policy Date: 2026-05-29T10:13:48Z
Blade: Anti-Virus
Origin: SG-CHKPFW-6200-1
Service: TCP/443
Product Family: Threat
Resource: sharepointle.com
Marker: @A@@B@1780315156@C@666729
Log Server Origin: x.x.x.x
Origin Log Server IP: x.x.x.x
Index Time: 2026-06-02T01:40:45Z
Lastupdatetime: 1780316139000
Lastupdateseqnum: 8
Stored: true
Suppressed Logs: 6
Sent Bytes: 0
Received Bytes: 0
Interface: bond0.151
Description: 192.168.x.x performed access to site known to contain malware that was prevented with DNS Trap
Threat Profile: Optimized
Bytes (sent\received): 0 B \ 0 B

0 Kudos
simonemantovani
MVP Gold
MVP Gold
Wednesday
In response to VarunTP

Yes, you can disable th DNS malware trap, this is an additional feature that could help prevent malware connections by intervening and DNS query level, without the need to inspect traffic to identify malware; but if you have Anti-virus and anti-bot protection enabled you're protected in any case.

Timothy_Hall
MVP Gold
MVP Gold
yesterday

Did you try the steps below to create the exception?  They are different than those in the ATRG for the DNS Trap feature:

sk182209: How to add an exception rule if the DNS Trap feature drops legitimate traffic

There are also situations where Threat Prevention drops based solely on an IP address will occur for efficiency purposes on the SND within SecureXL, well before the Threat Prevention exceptions are ever consulted.  Not sure if this is the case for you, but as an example, TP exceptions will not affect IOC feed blocks unless special steps are taken: sk181044: ioc_feeds blocks an IP address for which an exception was made

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events