Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
D_W
Advisor
Jump to solution

DNS Trap Detect

Hi Mates,

in the Logs we often see AV Protection hits with "detect" as action. Most time it is because of "DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information."

Now in the overview there are a lot of Action "Detect" instead of Action "Prevent" and this will be misinterpreted and leads to boring questions and confusion for some people.

Is it possible to change this to Action "Prevent" because according the description the attack was prevented by replacing the DNS response with a bogus IP!?

grafik.png

thx
David

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I could have sworn we changed these logs to prevent in R81, but could be wrong about that.

View solution in original post

0 Kudos
4 Replies
Kaspars_Zibarts
Employee Employee
Employee

That's "by design" - if you use DNS trap, DNS response needs to be delivered to the client so it starts the connection to the dummy IP. And that it turn is blocked and visible in logs.

It actually says that in description of SK.

If you wan to prevent, disable DNS trap feature.

0 Kudos
PhoneBoy
Admin
Admin

I could have sworn we changed these logs to prevent in R81, but could be wrong about that.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

We certainly did per:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Software-Changes.htm

"Log description change for DNS sinkhole trap - log is changed to Prevent instead of Detect, the Security Gateway prevents users from reaching malicious sites."

CCSM R77/R80/ELITE
D_W
Advisor

Perfect good to know!
We're here still on R80.40.

thx!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events