Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
We see requests going through our Checkpoint firewall from various Client Types e.g:
Other: polaris botnet
Other: Abbyy.Internet
Example log:
We wonder if it's possible to block by User Agent or Client Type.
Any ideas?
We are on 80.30 with all features except DLP and Threat Extraction/Emulation
1 Solution
Accepted Solutions
Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)
In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.
btw, IPS have ability to reject traffic by specific header too as below:
hth,
Roman.
Hi,
There is built in application for verity of browsers that can be used in the rule base as additional ordered layer of parent rule for inline layer, as result you can allow/block specific Browsers and still maintain general control of other apps.
For generic/custom user-agents its possible to create custom app with a defined specific user-agent.
For custom app, use the Signature Tool for custom Application and URL. (sk103051)
Kind regards,
Roman.
Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)
In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.
btw, IPS have ability to reject traffic by specific header too as below:
hth,
Roman.
I have been toying a bit with client types for blocking unwanted bits of traffic and potential malware for http/https traffic to the internet. Here is what my rule looks like:
As you can see I tried a 'drop what doesn't match' type rule, so I have negated what I wish to allow to drop everything else. 'Good client types' are applications I have created based on User-Agent, some windows BITS and other agents for windows CRL checks etc.
Things I've noticed:
1) Traffic that is bypassed by HTTPs inspection doesn't match the rule and gets dropped, so Categories like 'Financial Services' and 'override categorization' sites need to be allowed before this rule.
2) Traffic that doesn't contain User-Agent header or that Checkpoint can't determine a client type for, gets dropped.
I spent quite a bit of time checking to see whether this kind of approach would work ok in a user to internet type environment, but unfortunately I have a feeling I will need to drop the User Agent approach for filtering noise and malware. The biggest issue I find is with allowing traffic that doesn't carry a User Agent header, or that Checkpoint can't locate client type for.
If anyone has attempted anything like the above can they advise on their approach?
Thanks,
A
