Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Antonis_Hassiot
Contributor
Jump to solution

Is it possible to block by User Agent or Client Type?

We see requests going through our Checkpoint firewall from various Client Types e.g:

 

Other: polaris botnet

Other: Abbyy.Internet

Example log:

Capture.PNG

We wonder if it's possible to block by User Agent or Client Type. 

Any ideas?

We are on 80.30 with all features except DLP and Threat Extraction/Emulation

 

 

 

0 Kudos
1 Solution

Accepted Solutions
RomanKunicher
Employee Alumnus
Employee Alumnus

Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)

 

In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.

btw, IPS have ability to reject traffic by specific header too as below:

6.png

 

 

hth,

Roman.

View solution in original post

7 Replies
RomanKunicher
Employee Alumnus
Employee Alumnus

Hi,

There is built in application for verity of browsers that can be used in the rule base as additional ordered layer of parent rule for inline layer, as result you can allow/block specific Browsers and still maintain general control of other apps.

 

1.png2.jpg

 

For generic/custom user-agents its possible to create custom app with a defined specific user-agent.

For custom app, use the  Signature Tool for custom Application and URL.  (sk103051)

3.png4.png

 

Kind regards,

Roman.

 

Antonis_Hassiot
Contributor

Thanks!

Will use the signature tool for this. 

Just wondering whether this is CPU intensive as I wanted to block several User Agents.

Also, any idea on how I can use OR statement to add multiple User Agents in one custom signature? I am not familiar with PCRE

 

0 Kudos
RomanKunicher
Employee Alumnus
Employee Alumnus

Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)

 

In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.

btw, IPS have ability to reject traffic by specific header too as below:

6.png

 

 

hth,

Roman.

Antonis_Hassiot
Contributor

Thanks, this is great. 

For some reason I couldn't get it to work using IPS headers. Will check out more on this.

0 Kudos
PhoneBoy
Admin
Admin
A couple notes about these IPS protections:

1. They are "Core" protections, meaning changes to them require an Access Policy installation instead of a Threat Prevention policy installation.
2. These protections may not work with HTTPS traffic, even if HTTPS Inspection is enabled (at least as reported by the community).

Might be better to use the Application Control Signature Tool instead if that's the case.
Antonis_Hassiot
Contributor

I have been toying a bit with client types for blocking unwanted bits of traffic and potential malware for http/https traffic to the internet. Here is what my rule looks like:

Capture.PNG

As you can see I tried a 'drop what doesn't match' type rule, so I have negated what I wish to allow to drop everything else. 'Good client types' are applications I have created based on User-Agent, some windows BITS and other agents for windows CRL checks etc. 

 

Things I've noticed:

1) Traffic that is bypassed by HTTPs inspection doesn't match the rule and gets dropped, so Categories like 'Financial Services' and 'override categorization' sites need to be allowed before this rule. 

2) Traffic that doesn't contain User-Agent header or that Checkpoint can't determine a client type for, gets dropped. 

I spent quite a bit of time checking to see whether this kind of approach would work ok in a user to internet type environment, but unfortunately I have a feeling I will need to drop the User Agent approach for filtering noise and malware. The biggest issue I find is with allowing traffic that doesn't carry a User Agent header, or that Checkpoint can't locate client type for.  

If anyone has attempted anything like the above can they advise on their approach?

Thanks,

A

0 Kudos
RomanKunicher
Employee Alumnus
Employee Alumnus

Hi Antonis,

Allowing traffic solely by user-agent is a very strict/limiting approach. this is mostly used to Block specific user agents.

Kind regards,

Roma.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events