- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
I am trying to white-list a single domain for DNS Reputation prevents. Currently, it seems like the only option is to make exceptions for all of our DNS servers, effectively turning off DNS Reputation checks for DNS lookups in our company.
The domain is a employee awareness training like for phishing that is publically available, so it technically is a phishing site and should not necessary be re-categorized, but we'd like to whitelist it for our company during our phishing tests.
Has anyone ever had to do this before?
According to TAC case I've seen, it should be supported to use a Custom Application/Sites.
Here are the steps I found from one TAC case where the customer confirmed it works.
For Anti-Virus Configuration (R81.10, R81.20)
1. Verify Anti-Virus Blade: Ensure that the Anti-Virus blade is enabled.
2. Create Custom Application/Site:
* In SmartConsole, navigate to New > More > Custom Application/Site > Application/Site.
* Name the Application/Site and insert the domains into the URL list.
* Ensure the checkbox for "URLs are defined as Regular Expression" is unchecked.
1. Add Exception:
* Go to Security Policies > Threat Prevention > Exceptions.
* Click on Global Exceptions, then Add Exception > Above to create a new rule.
* Change the Action to Inactive.
* In the Protection/Site/File/Blade section, select your custom application.
* Ensure that the values in the following columns are set to Any:
* Protected Scope
* Source
* Destination
* Services
1. Install Policy: Install the Threat Prevention policy.
2. Clear Caches: Make sure to clear the DNS caches on the used DNS servers and the Malware Cache on the gateway. For instructions, refer to sk105179
Seems like you could create a custom application definition for said domains and create an exception for it in your Threat Prevention policy.
Something like this:
@Vladimir this might also be a solution to the thread you raised about this as well.
@PhoneBoy perhaps this would work, if CHeck Point is the one blocking it.
When I've added KnowBe4 domains to the categorization exceptions, the problems persisted, so in my case this was the issue:
When querying the https.protected-forms.com from inside the network, I was getting "can't find" in nslookup:
Looking in Check Point for this query, we see that it detects it as the query for malicious domain, but it allows it:
Finally, looking at the public DNS resolver that the Domain Controller forwarding the queries to, (IBM's Secure DNS Service Quad 9):
I have reached out to KnowBe4 and they are working on whitelisting this domain with threat intelligence providers.
I know this is an old thread - but I've attempted to do this and haven't had any success.
I believe the issue is that Custom site/Applications only detect on ports 80/443/8080. Not DNS (port 53), which is what is being Prevented in the logs.
There doesn't seem to be a way to add additional Match-By criteria to custom site/applications in Check Point. I could add DNS to an existing App - but not a custom site/application.
Do you know if there's a way to get around this? I'll have to disable the AV protection on my Threat Prevention profile if I can't get exceptions working for these Microsoft Attack Simulation URLs.
Custom Application/Site objects use the settings for Web Browsing.
Those can be changed here (though adding DNS might result in a performance impact):
If you know the domains used, you can create FQDN Domain objects and use those in the exception (with service Any).
This assumes your gateway and clients resolve DNS the same.
This doesn't seem to be working here (R81.20).
I have a list of domains that are already exempt from IPS and HTTPS inspection as they're used in phishing campaigns, but cannot find a way to make an exception on the DNS Reputation protection.
Any other tip?
Thanks!
What specific things have you tried above any beyond the Custom Application/Site object?
In the "answer" for this thread, I had an FQDN Domain object (which I'm not 100% sure works).
If you're on R81.20, you might also try a Network Feed with the relevant domains included.
I did find an interesting tidbit in the R82 Threat Prevention guide that might help: "To add an exception to a DNS protection, you must go to the relevant log and add it from there."
This means right-click the log and select Add Exception.
If memory serves - this creates an exclusion for the detection name, not the domain. I was never able to get exclusions working for domains. The only way I could prevent the detection was by the detection name, which was untenable for Microsoft's attack simulation URLs. There are 130+ domains each with a unique detection name. This is one of those things where I feel it should be simple to exclude detections from the domain name considering it's a domain name resolution threat prevention mechanism. I hope CheckPoint implements a way to do this in the future.
It's also possible this note is specific to R82, since it is in the R82 documentation.
Thanks for your quick reply!
It looks like a network feed isn't a supported object in this scope.
According to TAC case I've seen, it should be supported to use a Custom Application/Sites.
Here are the steps I found from one TAC case where the customer confirmed it works.
For Anti-Virus Configuration (R81.10, R81.20)
1. Verify Anti-Virus Blade: Ensure that the Anti-Virus blade is enabled.
2. Create Custom Application/Site:
* In SmartConsole, navigate to New > More > Custom Application/Site > Application/Site.
* Name the Application/Site and insert the domains into the URL list.
* Ensure the checkbox for "URLs are defined as Regular Expression" is unchecked.
1. Add Exception:
* Go to Security Policies > Threat Prevention > Exceptions.
* Click on Global Exceptions, then Add Exception > Above to create a new rule.
* Change the Action to Inactive.
* In the Protection/Site/File/Blade section, select your custom application.
* Ensure that the values in the following columns are set to Any:
* Protected Scope
* Source
* Destination
* Services
1. Install Policy: Install the Threat Prevention policy.
2. Clear Caches: Make sure to clear the DNS caches on the used DNS servers and the Malware Cache on the gateway. For instructions, refer to sk105179
That worked!
Doing "the same" through the "custom policy" tab didn't however.
Glad it did and I've updated the "correct" answer accordingly. 🙂
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 1 | |
| 1 | |
| 1 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY