Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Phaneath_Phourn
Participant
Jump to solution

Threat Prevention is Not Block DNS Reputation Which Policy Are Block

Hello,

My client have a concern on DNS Reputation traffic with High severity, but Checkpoint just detect on this traffic. And on the policy, we set block on High and Medium except Low that will detected.

So anyone know how can change it? Or which setting that could turn it block or detect? Below is the screenshot of the log.

Below is record detail:

Thanks for any idea.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

In the R81 Release Notes, there is a documented behavior change related to this:

  • Log description change for DNS sinkhole trap - log is changed to Prevent instead of Detect, the Security Gateway prevents users from reaching malicious sites.

Which suggests that, prior to R81, even though it is saying Detect, it is actually a Prevent action.

View solution in original post

14 Replies
Mark_Mitchell
Advisor

For the Anti-Bot blade it's not set globally to "Detect Only" on the gateway/cluster object is it rather than According to policy?

0 Kudos
Phaneath_Phourn
Participant

Hi Mark,

In Activation Mode section, I selected According to policy option 

0 Kudos
Mark_Mitchell
Advisor

Are you able to share the screenshots of the threat prevention policy please? Screenshots of the profiles you have that shows which blades are activated and then from the protections section for Anti-bot. It's difficult to advise and be accurate without knowing what is currently in place around the profiles and protection configuration. 

0 Kudos
Phaneath_Phourn
Participant

Hello Mark,

Check below screenshot for Threat Prevention policy and  blades activated.

Thanks

0 Kudos
Mark_Mitchell
Advisor

Thanks for the screenshots, it does in fact look like your configuration is correct and as Jean-Francois Portmann‌ has spotted the reply has been replaced with the DNS Trap Bogus IP which by default unless changed is. 62.0.58.94. 

 

I would recommend populating the "Internal DNS Servers" so that the origin of actual request can be identified, so that the machine generating the traffic can be checked over. 

0 Kudos
Schafi
Contributor
Contributor

The DNS request was not blocked but Check Point replaced the DNS reply with the DNS trap bogus IP. See sk74060.

Regards
Jean-François (Schafi)
Phaneath_Phourn
Participant

Hi Jean,

After checked on SmartTracker, I can see the DNS Trap was Blocked but only DNS Reputation which action Detected. As on you mention on sk74060, what if I disable option on Malware DNS Trap? If Malicious DNS Query was replaced by Bogus IP, it seems to be a protection, but then, why it does not say "PREVENT" although the Confidence Level and Severity of the threat is HIGH in the log file? 

Thanks

0 Kudos
Mark_Mitchell
Advisor

The Bogus Trap will replace the IP address that is returned as part of the DNS Answer in response to the original query. The DNS query itself was not blocked by instead the return value replaced. So in reality the DNS request wasn't actually prevented. I believe that based on my understanding this is how the DNS trap works. 

0 Kudos
Prabulingam_N1
Advisor

Dear Phaneath,

DNS Reputation will ALWAYS be in DETECT mode only, this is default configuration and cannot be changed.

(as for I know after checking in various internal settings)

The first DNS query from the client will be allowed by the Firewall.

If DNS reply found to be Malicious, then CheckPoint Trap Bogus IP: 62.x.x.x will inform the Firewall.

Then subsequent packets towards that Malicious site will be PREVENT as per your policy.

.

Regards, Prabu

miranda
Explorer

Hi! I have the same problem, my log only responds "Detected" to DNS Reputation.

Did you find any solution to this problem? 

Tks!

0 Kudos
PhoneBoy
Admin
Admin

In the R81 Release Notes, there is a documented behavior change related to this:

  • Log description change for DNS sinkhole trap - log is changed to Prevent instead of Detect, the Security Gateway prevents users from reaching malicious sites.

Which suggests that, prior to R81, even though it is saying Detect, it is actually a Prevent action.

Miroslaw_Kozmic
Participant

Hi,

Could you take a look at $FWDIR/conf/malware_config on management server? You should see there following section:

[resource_classification_mode]
dns=bg
http=policy
smb=policy
smtp=policy

Try changing "bg" to "policy" in dns line and installing the policy. I think that you should see some Prevents rolling after that Smiley Happy

Timothy_Hall
Legend Legend
Legend

Try looking here, check the Activation tab for each of these three categories.

--

CheckMates Break Out Sessions Speaker

CPX 2019 Las Vegas & Vienna - Tuesday@13:30

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Viktor
Participant

Looks like it works as intended to me. If you don't want to be able to identify the infected host you could try to deactivate DNS-trap in the Threat-profile settings.

DNS-trap Profile

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events