This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
stallwoodj
Collaborator
Collaborator
‎2022-02-15 06:39 AM
Jump to solution

Malware DNS trap with firewall's management IP

Hi,

I have a customer with a problem that's been occurring both with their old R80.40 firewall and even since we upgraded to R81.

Every once in a while they get hours where policy cannot be installed with "TCP Connectivity Failure on port 18191" (error no, 10) and I have confirmed that the CPD connection is being dropped due to Malware DNS Trap.

They have set the Malware DNS Trap IP to the inside IP of their firewall, which is also the interface for management.

I've changed it, but of course I now have to wait until the connectivity is unblocked, to push the change!!

 

Please could CP ensure that inbound control connections don't get blocked in future versions?

 

Thanks

Jamie

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2022-02-15 06:50 AM
Jump to solution

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Timothy_Hall
Legend Legend
Legend
‎2022-02-16 06:54 AM
Jump to solution

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

5 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-02-15 06:50 AM
Jump to solution

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Timothy_Hall
Legend Legend
Legend
‎2022-02-16 06:54 AM
Jump to solution

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
stallwoodj
Collaborator
Collaborator
‎2022-02-16 07:00 AM
In response to Timothy_Hall
Jump to solution

Thanks both. This was a previous incumbent provider who did this!

Fortunately I eventually managed to get a CPD connection "under the radar" of Malware DNS to push the corrected setting.

But yes, either some warning on the GUI, or automatic exclusion of CPD traffic addressed to the module, would be great!

 

Cheers

Jamie

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-02-16 07:11 AM
In response to stallwoodj
Jump to solution

Would be great - but if every possible misconfiguration would trigger a warning, specialists would die of hunger 😉 The more granular the more complicated !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
Employee Employee
Employee
‎2022-02-16 07:21 AM
Jump to solution

Thanks for the feedback, note the current documentation is clear on this issue:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateway external IP address as the DNS trap address but:

Do not use a gateway address that leads to the internal network.

Do not use the gateway internal management address.

If the gateway external IP address is also the management address, select a different address for the DNS trap.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top