@PhoneBoy  perhaps this would work, if CHeck Point is the one blocking it.

When I've added KnowBe4 domains to the categorization exceptions, the problems persisted, so in my case this was the issue:

When querying the https.protected-forms.com from inside the network, I was getting "can't find" in nslookup:

Looking in Check Point for this query, we see that it detects it as the query for malicious domain, but it allows it:

Finally, looking at the public DNS resolver that the Domain Controller forwarding the queries to, (IBM's Secure DNS Service Quad 9):

I have reached out to KnowBe4 and they are working on whitelisting this domain with threat intelligence providers.

I know this is an old thread - but I've attempted to do this and haven't had any success.

I believe the issue is that Custom site/Applications only detect on ports 80/443/8080. Not DNS (port 53), which is what is being Prevented in the logs.

There doesn't seem to be a way to add additional Match-By criteria to custom site/applications in Check Point. I could add DNS to an existing App - but not a custom site/application.

Do you know if there's a way to get around this? I'll have to disable the AV protection on my Threat Prevention profile if I can't get exceptions working for these Microsoft Attack Simulation URLs.

Custom Application/Site objects use the settings for Web Browsing.
Those can be changed here (though adding DNS might result in a performance impact):

If you know the domains used, you can create FQDN Domain objects and use those in the exception (with service Any).
This assumes your gateway and clients resolve DNS the same.

This doesn't seem to be working here (R81.20).

I have a list of domains that are already exempt from IPS and HTTPS inspection as they're used in phishing campaigns, but cannot find a way to make an exception on the DNS Reputation protection.

Any other tip?

Thanks!

What specific things have you tried above any beyond the Custom Application/Site object?
In the "answer" for this thread, I had an FQDN Domain object (which I'm not 100% sure works).
If you're on R81.20, you might also try a Network Feed with the relevant domains included.

I did find an interesting tidbit in the R82 Threat Prevention guide that might help: "To add an exception to a DNS protection, you must go to the relevant log and add it from there."
This means right-click the log and select Add Exception.

If memory serves - this creates an exclusion for the detection name, not the domain. I was never able to get exclusions working for domains. The only way I could prevent the detection was by the detection name, which was untenable for Microsoft's attack simulation URLs. There are 130+ domains each with a unique detection name. This is one of those things where I feel it should be simple to exclude detections from the domain name considering it's a domain name resolution threat prevention mechanism. I hope CheckPoint implements a way to do this in the future.

It's also possible this note is specific to R82, since it is in the R82 documentation.

Thanks for your quick reply!

It looks like a network feed isn't a supported object in this scope.

That worked!

Doing "the same" through the "custom policy" tab didn't however.

Glad it did and I've updated the "correct" answer accordingly. 🙂