This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
11 hours ago
Jump to solution

Anti-bot block page does not show up

Hey guys,

I hope someone can maybe shed some light into this as to what we might be missing to get this working. I had been working with couple of my colleagues on it and we cant seem to figure it out.

Here is the environment:

R81.20 jumbo 89 mgmt server

R81.20 cluster with anti bot enabled, along with vpn, fw, monitoring, ssl inspection

another R81.20 gw, as well as SE dedicated server, all jumbo 89 (cluster as well)

Now, ssl inspection block page works fine, no issues. We enabled AB blade, made sure shows default block poage as option in TP profile, page we tested does NOT show up, but, block page NEVER comes up. I tested with different dns servers, no joy. Even followed below link, same issue.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...TPG/Configuring-Anti-Bot-Settings.htm

I see in one of the logs below sk comes up, but not sure if thats relevant here.

https://support.checkpoint.com/results/sk/sk74060

For what its worth, same issue happens regardless if IPS blade is enabled or not.

I attached some screenshots of the environment. Any suggestions are always welcome.

Thanks in advance.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

 

 

Screenshot_4.png

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
3 hours ago
In response to the_rock
Jump to solution

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

View solution in original post

0 Kudos
6 Replies
the_rock
Legend
Legend
10 hours ago
Jump to solution

Quick update...my colleague and I even enabled AV blade, tested with eicar download test link, but IE blocks the download, NOT av blade, so block page does not work for that either.

I have a feeling we are missing something trivial here, just cant figure out what exactly.

Andy

0 Kudos
the_rock
Legend
Legend
9 hours ago
Jump to solution

FWIW, also tested autonomous TP policy, exact same problem.

Andy

0 Kudos
PhoneBoy
Admin
Admin
6 hours ago
Jump to solution

I assume because of how this is being blocked (DNS Trap), we are not generating a block page, which would require an active TCP session.
The default DNS Trap IP does not answer any queries and connections would "time out." 

0 Kudos
the_rock
Legend
Legend
4 hours ago
In response to PhoneBoy
Jump to solution

Any way to fix that?

Andy

0 Kudos
PhoneBoy
Admin
Admin
3 hours ago
In response to the_rock
Jump to solution

Thinking about this, the answer is probably not.

For a block page to be generated, a TCP connection would have to be generated.
This would require HTTPS Inspection, which would have to generate a certificate based on the site being accessed (SNI).
The SNI verification piece would fail since there's no connection to get the site certificate.
Even if you were to change the DNS Trap IP to something that answers with an HTTPS Certificate, it would not be correct based on the site accessed.

I suspect this is RFE territory. 

0 Kudos
the_rock
Legend
Legend
3 hours ago
In response to PhoneBoy
Jump to solution

Thanks for the feedback, as always. I do have ssl inspection enabled, that part works and we do see logs generated that show pages blocked related to AB blade, but just cant get block page show up.

O well, thats unfortunate, but thank you for confirming!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events