Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stallwoodj
Collaborator
Collaborator
Jump to solution

Malware DNS trap with firewall's management IP

Hi,

I have a customer with a problem that's been occurring both with their old R80.40 firewall and even since we upgraded to R81.

Every once in a while they get hours where policy cannot be installed with "TCP Connectivity Failure on port 18191" (error no, 10) and I have confirmed that the CPD connection is being dropped due to Malware DNS Trap.

They have set the Malware DNS Trap IP to the inside IP of their firewall, which is also the interface for management.

I've changed it, but of course I now have to wait until the connectivity is unblocked, to push the change!!

 

Please could CP ensure that inbound control connections don't get blocked in future versions?

 

Thanks

Jamie

 

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Timothy_Hall
Legend Legend
Legend

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

5 Replies
G_W_Albrecht
Legend Legend
Legend

According to sk176926:

To resolve the problem, remove the Security gateway's IP address from the DNS trap setting and leave it as blank.
Note:  The default value for DNS trap IP address is 62.0.58.94. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Timothy_Hall
Legend Legend
Legend

Yeah don't set the Malware Trap IP to an actual interface of the firewall.  Surprised doing so didn't get you into a LOT more trouble there.  There should either be a note on that configuration screen warning not to do that, or doing so should be blocked in the GUI.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
stallwoodj
Collaborator
Collaborator

Thanks both. This was a previous incumbent provider who did this!

Fortunately I eventually managed to get a CPD connection "under the radar" of Malware DNS to push the corrected setting.

But yes, either some warning on the GUI, or automatic exclusion of CPD traffic addressed to the module, would be great!

 

Cheers

Jamie

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Would be great - but if every possible misconfiguration would trigger a warning, specialists would die of hunger 😉 The more granular the more complicated !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Chris_Atkinson
Employee Employee
Employee

Thanks for the feedback, note the current documentation is clear on this issue:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

The Malware DNS trap works by configuring the Security Gateway to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateway external IP address as the DNS trap address but:

Do not use a gateway address that leads to the internal network.

Do not use the gateway internal management address.

If the gateway external IP address is also the management address, select a different address for the DNS trap.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events