This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steven_Lucas
Participant
‎2019-06-13 10:48 AM
Jump to solution

DNS Reputation Exception

I am trying to white-list a single domain for DNS Reputation prevents. Currently, it seems like the only option is to make exceptions for all of our DNS servers, effectively turning off DNS Reputation checks for DNS lookups in our company. 

The domain is a employee awareness training like for phishing that is publically available, so it technically is a phishing site and should not necessary be re-categorized, but we'd like to whitelist it for our company during our phishing tests.

Has anyone ever had to do this before? 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-06-14 04:06 PM
Jump to solution

Seems like you could create a custom application definition for said domains and create an exception for it in your Threat Prevention policy.
Something like this:

Screen Shot 2019-06-14 at 4.03.57 PM.png

@Vladimir this might also be a solution to the thread you raised about this as well.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin
‎2019-06-14 04:06 PM
Jump to solution

Seems like you could create a custom application definition for said domains and create an exception for it in your Threat Prevention policy.
Something like this:

Screen Shot 2019-06-14 at 4.03.57 PM.png

@Vladimir this might also be a solution to the thread you raised about this as well.

Vladimir
Champion
Champion
‎2019-06-14 04:30 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy  perhaps this would work, if CHeck Point is the one blocking it.

When I've added KnowBe4 domains to the categorization exceptions, the problems persisted, so in my case this was the issue:

When querying the https.protected-forms.com from inside the network, I was getting "can't find" in nslookup:

image.png

Looking in Check Point for this query, we see that it detects it as the query for malicious domain, but it allows it:

image.png

Finally, looking at the public DNS resolver that the Domain Controller forwarding the queries to, (IBM's Secure DNS Service Quad 9):

image.png

 

I have reached out to KnowBe4 and they are working on whitelisting this domain with threat intelligence providers.

bcsw222
Explorer
‎2024-05-10 01:25 PM
In response to PhoneBoy
Jump to solution

I know this is an old thread - but I've attempted to do this and haven't had any success.

 

I believe the issue is that Custom site/Applications only detect on ports 80/443/8080. Not DNS (port 53), which is what is being Prevented in the logs.

 

There doesn't seem to be a way to add additional Match-By criteria to custom site/applications in Check Point. I could add DNS to an existing App - but not a custom site/application.

 

Do you know if there's a way to get around this? I'll have to disable the AV protection on my Threat Prevention profile if I can't get exceptions working for these Microsoft Attack Simulation URLs.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 08:05 AM
In response to bcsw222
Jump to solution

Custom Application/Site objects use the settings for Web Browsing.
Those can be changed here (though adding DNS might result in a performance impact):

image.png

If you know the domains used, you can create FQDN Domain objects and use those in the exception (with service Any).
This assumes your gateway and clients resolve DNS the same.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events