Verify that DNS tunneling is being prevented in R8...

Matt_Reed · ‎2019-12-06

How do I verify that DNS Tunneling is being blocked in R80.10. I have found allot of good info if I was running R77.30 but it doesn't covert very well to R80.10.

PhoneBoy · ‎2019-12-06

The DNS Tunneling protection was introduced in R77.30 and, to the best of my knowledge, it should work the same in R80.x.
You need to make sure it is enabled in the relevant IPS profile.
It is NOT enabled by default in any of the default IPS profiles.

Screen Shot 2019-12-06 at 4.15.13 PM.png

Matt_Reed · ‎2019-12-09

Thanks for the quick reply and screen shots. After looking I do not even see DNS Tunneling as an option when I search under the IPS Protections. Is this something that is easy to correct or should I open a ticket with support?

Thanks
Matt

PhoneBoy · ‎2019-12-09

Have you updated the IPS signatures at all?
It's a fairly old signature so if you've done it even once, it should be there.

Matt_Reed · ‎2019-12-09

Yes the last update was on 12/8/2019 Version 635198194.

PhoneBoy · ‎2019-12-09

I checked both in Demo Mode for R80.10 and R80.30 as well as my R80.30 Management server, it's definitely there.
Sounds like a TAC case is in order.

Matt_Reed · ‎2019-12-10

Found it!! I believe that since we had it "Inactive" it would not show up in my search under IPS. So once I Went to IPS (1) > Protections(2) > IPS(3) then I could find it search(4) find it.

Thanks for the help.

Are you a member of CheckMates?

Verify that DNS tunneling is being prevented in R80.10