This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
prashantds
Participant
‎2020-03-22 03:41 AM
Jump to solution

Block torrent applications

Hi All, I want to  block all torrent applications specifically uTorrent.

i have added utorrent in the in the application blocking but still not working..

 

Thanks,

Prashant.

 

 

Prashant
Preview file
23 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-23 02:21 PM
In response to prashantds
Jump to solution

Like I said, you need to limit either the destinations, the services, or both.
This advice applies to one or more of 8, 17, 20, 24.

Each one of these rules could easily be two rules.
One example:

Screen Shot 2020-03-23 at 2.12.23 PM.png

Replace http/https with the precise services that are actually required for Internet access and nothing more.
This is by far the most performant approach. 

Another option would be to put a rule near the bottom of your App Control rulebase like the following:

Screen Shot 2020-03-23 at 2.15.26 PM.png

To get the Service column to show up in your App Control rulebase, right click on the title bar and check Service.
If you don't want to outright block the traffic, you can instead use the action "Limit" and specify whatever sort of limit you wish to place on this traffic.
Note the limit applies for anything matching this rule and should be below more specific rules. 

 

View solution in original post

0 Kudos
12 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2020-03-22 05:35 AM
Jump to solution

Please share some additional information if you would like assistance e.g. 

- Version & JHF?

- SSL / HTTPS inspection? Y/N

- Classification (hold) mode Y/N

- What alternate rule in the policy is matching the traffic?

CCSM R77/R80/ELITE
0 Kudos
prashantds
Participant
‎2020-03-22 05:52 AM
In response to Chris_Atkinson
Jump to solution

Version :- R77.30
SSL/HTTPS - N
Classification - N
Currently no policy is there except the Application block policy which is of no help.

Thanks
Prashant.
Prashant
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-22 01:34 PM
Jump to solution

What rules are the traffic matching on instead and how do those rule relate to the one you've shown?
Based on that we might be able to make suggestions.

Also note that R77.30 is End of Support and it would probably be a good idea to upgrade to a supported release.
0 Kudos
prashantds
Participant
‎2020-03-22 09:17 PM
In response to PhoneBoy
Jump to solution

Hi,

UDP utilization is showing too high for interface when checked. so i checked client pc remotely he is using torrent. now i don't want him or anyone else to use torrent.

Yeah, received the new firewall but waiting for downtime from management.
Thanks,
Prashant.
Prashant
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-22 09:32 PM
In response to prashantds
Jump to solution

Understood, but what rule(s) are matching the traffic in question?
In this case, both Firewall and Application Control rules?

I suspect you're allowing UDP high ports to random places on the Internet, which is generally not best practice.
0 Kudos
prashantds
Participant
‎2020-03-22 09:36 PM
In response to PhoneBoy
Jump to solution

yes both FW and Application control rules.

I suspect you're allowing UDP high ports to random places on the Internet, which is generally not best practice. - How do i stop this??
Sorry i am not having much knowledge of firewalls doing just some RnD. Support is not available trying to do it myself.

Prashant
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-22 09:50 PM
In response to prashantds
Jump to solution

You sent a screenshot of the Application Control rule you thought should have blocked Bittorrent, so clearly you have access to SmartDashboard...and probably SmartView Tracker and/or SmartLog to see the logs of the traffic.

As a general rule in R77.x and earlier: in order to pass through the Firewall rulebase, there has to be an explicit rule that allows the traffic.
What precise rule is allowing the traffic?
SmartView Tracker and/or SmartLog should tell you if it's not obvious from looking at your rulebase and you have logging enabled on your rules.

Then, in R77.x and earlier, if the Firewall rulebase allowed the traffic, it goes to the Application Control rulebase.
In this rulebase, unless there is an explicit rule that blocks traffic, it will be allowed.

Note that in R80.x with Policy Layers, this behavior is different as you can potentially have many layers and set the default behavior for each layer differently (default deny or accept).
0 Kudos
prashantds
Participant
‎2020-03-22 10:43 PM
In response to PhoneBoy
Jump to solution

We have some firewall rules which state from any to any. please find the SS attached.

fw rules1.png

fw rules2.png

  

Prashant
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2020-03-23 04:32 AM
In response to prashantds
Jump to solution

For an effective strategy you will need to limit (reduce) the number of such rules and get more detailed with the permitted services and destinations.

CCSM R77/R80/ELITE
0 Kudos
prashantds
Participant
‎2020-03-23 04:35 AM
In response to Chris_Atkinson
Jump to solution

Hi,

i will make sure of that during the installation of latest firewall. for time being i am looking for the solution to block torrent or limit the download speeds(only for torrent not whole interface).

Thanks,

Prashant.

Prashant
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-23 02:21 PM
In response to prashantds
Jump to solution

Like I said, you need to limit either the destinations, the services, or both.
This advice applies to one or more of 8, 17, 20, 24.

Each one of these rules could easily be two rules.
One example:

Screen Shot 2020-03-23 at 2.12.23 PM.png

Replace http/https with the precise services that are actually required for Internet access and nothing more.
This is by far the most performant approach. 

Another option would be to put a rule near the bottom of your App Control rulebase like the following:

Screen Shot 2020-03-23 at 2.15.26 PM.png

To get the Service column to show up in your App Control rulebase, right click on the title bar and check Service.
If you don't want to outright block the traffic, you can instead use the action "Limit" and specify whatever sort of limit you wish to place on this traffic.
Note the limit applies for anything matching this rule and should be below more specific rules. 

 

0 Kudos
prashantds
Participant
‎2020-03-23 09:25 PM
In response to PhoneBoy
Jump to solution

Hi,

Thank you very much for your all help and support.
i limited the traffic through the application rule.
now seems to be working fine with bandwidth.

Prashant
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events