This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonis_Hassiot
Contributor
‎2020-07-08 12:32 AM
Jump to solution

Is it possible to block by User Agent or Client Type?

We see requests going through our Checkpoint firewall from various Client Types e.g:

 

Other: polaris botnet

Other: Abbyy.Internet

Example log:

Capture.PNG

We wonder if it's possible to block by User Agent or Client Type. 

Any ideas?

We are on 80.30 with all features except DLP and Threat Extraction/Emulation

 

 

 

0 Kudos
1 Solution

Accepted Solutions
RomanKunicher
Employee Alumnus
Employee Alumnus
‎2020-07-09 08:42 AM
In response to Antonis_Hassiot
Jump to solution

Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)

 

In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.

btw, IPS have ability to reject traffic by specific header too as below:

6.png

 

 

hth,

Roman.

View solution in original post

7 Replies
RomanKunicher
Employee Alumnus
Employee Alumnus
‎2020-07-09 07:40 AM
Jump to solution

Hi,

There is built in application for verity of browsers that can be used in the rule base as additional ordered layer of parent rule for inline layer, as result you can allow/block specific Browsers and still maintain general control of other apps.

 

1.png2.jpg

 

For generic/custom user-agents its possible to create custom app with a defined specific user-agent.

For custom app, use the  Signature Tool for custom Application and URL.  (sk103051)

3.png4.png

 

Kind regards,

Roman.

 

Antonis_Hassiot
Contributor
‎2020-07-09 07:53 AM
In response to RomanKunicher
Jump to solution

Thanks!

Will use the signature tool for this. 

Just wondering whether this is CPU intensive as I wanted to block several User Agents.

Also, any idea on how I can use OR statement to add multiple User Agents in one custom signature? I am not familiar with PCRE

 

0 Kudos
RomanKunicher
Employee Alumnus
Employee Alumnus
‎2020-07-09 08:42 AM
In response to Antonis_Hassiot
Jump to solution

Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)

 

In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.

btw, IPS have ability to reject traffic by specific header too as below:

6.png

 

 

hth,

Roman.

Antonis_Hassiot
Contributor
‎2020-07-10 05:39 AM
In response to RomanKunicher
Jump to solution

Thanks, this is great. 

For some reason I couldn't get it to work using IPS headers. Will check out more on this.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-12 07:40 PM
In response to Antonis_Hassiot
Jump to solution

A couple notes about these IPS protections:

1. They are "Core" protections, meaning changes to them require an Access Policy installation instead of a Threat Prevention policy installation.
2. These protections may not work with HTTPS traffic, even if HTTPS Inspection is enabled (at least as reported by the community).

Might be better to use the Application Control Signature Tool instead if that's the case.
Antonis_Hassiot
Contributor
‎2021-03-01 10:04 AM
In response to PhoneBoy
Jump to solution

I have been toying a bit with client types for blocking unwanted bits of traffic and potential malware for http/https traffic to the internet. Here is what my rule looks like:

Capture.PNG

As you can see I tried a 'drop what doesn't match' type rule, so I have negated what I wish to allow to drop everything else. 'Good client types' are applications I have created based on User-Agent, some windows BITS and other agents for windows CRL checks etc. 

 

Things I've noticed:

1) Traffic that is bypassed by HTTPs inspection doesn't match the rule and gets dropped, so Categories like 'Financial Services' and 'override categorization' sites need to be allowed before this rule. 

2) Traffic that doesn't contain User-Agent header or that Checkpoint can't determine a client type for, gets dropped. 

I spent quite a bit of time checking to see whether this kind of approach would work ok in a user to internet type environment, but unfortunately I have a feeling I will need to drop the User Agent approach for filtering noise and malware. The biggest issue I find is with allowing traffic that doesn't carry a User Agent header, or that Checkpoint can't locate client type for.  

If anyone has attempted anything like the above can they advise on their approach?

Thanks,

A

0 Kudos
RomanKunicher
Employee Alumnus
Employee Alumnus
‎2021-03-02 01:41 AM
In response to Antonis_Hassiot
Jump to solution

Hi Antonis,

Allowing traffic solely by user-agent is a very strict/limiting approach. this is mostly used to Block specific user agents.

Kind regards,

Roma.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events