This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
stallwoodj
Collaborator
Collaborator
‎2022-02-15 06:39 AM
Jump to solution

Malware DNS trap with firewall's management IP

Hi,

I have a customer with a problem that's been occurring both with their old R80.40 firewall and even since we upgraded to R81.

Every once in a while they get hours where policy cannot be installed with "TCP Connectivity Failure on port 18191" (error no, 10) and I have confirmed that the CPD connection is being dropped due to Malware DNS Trap.

They have set the Malware DNS Trap IP to the inside IP of their firewall, which is also the interface for management.

I've changed it, but of course I now have to wait until the connectivity is unblocked, to push the change!!

 

Please could CP ensure that inbound control connections don't get blocked in future versions?

 

Thanks

Jamie

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend
‎2022-02-15 06:50 AM
Jump to solution

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSE CCTE CCSM SMB Specialist

View solution in original post

Timothy_Hall
Champion Champion
Champion
‎2022-02-16 06:54 AM
Jump to solution

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

5 Replies
G_W_Albrecht
Legend
Legend
‎2022-02-15 06:50 AM
Jump to solution

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSE CCTE CCSM SMB Specialist
Timothy_Hall
Champion Champion
Champion
‎2022-02-16 06:54 AM
Jump to solution

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
stallwoodj
Collaborator
Collaborator
‎2022-02-16 07:00 AM
In response to Timothy_Hall
Jump to solution

Thanks both. This was a previous incumbent provider who did this!

Fortunately I eventually managed to get a CPD connection "under the radar" of Malware DNS to push the corrected setting.

But yes, either some warning on the GUI, or automatic exclusion of CPD traffic addressed to the module, would be great!

 

Cheers

Jamie

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-02-16 07:11 AM
In response to stallwoodj
Jump to solution

Would be great - but if every possible misconfiguration would trigger a warning, specialists would die of hunger 😉 The more granular the more complicated !

CCSE CCTE CCSM SMB Specialist
Chris_Atkinson
Employee Employee
Employee
‎2022-02-16 07:21 AM
Jump to solution

Thanks for the feedback, note the current documentation is clear on this issue:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateway external IP address as the DNS trap address but:

Do not use a gateway address that leads to the internal network.

Do not use the gateway internal management address.

If the gateway external IP address is also the management address, select a different address for the DNS trap.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events