This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AshishS
Explorer
‎2023-07-24 04:08 AM

Checkpoint Gateway sending DNS requests to DNS server for malicious URLs

The checkpoint gateway in a standby state is sending DNS requests to configured DNS server for malicious URLs. What can be the reason behind this? 

Version - Gaia 80.40 on both GWs.

Malicious URLs - yearinesents.xyz, siswoyo.co.id

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2023-07-24 04:40 AM

I do not think there is any reason to do that. I would start investigating, to see if that is indeed traffic originating from standby GW and not something else.

On an active GW, however, that would be okay if someone is trying to reach out to any of those domains through the GW on HTTPS. That would be part of the SNI verification process. 

 

 

0 Kudos
AshishS
Explorer
‎2023-07-24 05:09 AM
In response to _Val_

Thanks for your reply.  what investigation we can do here? This is a standby gateway. Please share if there are any troubleshooting steps that I can check.

0 Kudos
_Val_
Admin
Admin
‎2023-07-24 05:19 AM
In response to AshishS

tcpdump, for starters. Where do you see the requests, on your internal DNS server? Somewhere else? It is hard to give you any advise if you do not provide any retails.

0 Kudos
AshishS
Explorer
‎2023-07-24 05:36 AM
In response to _Val_

We got the below alert on our Qrdar SIEM server. I have removed IPs from the log and used X,Y,Z instead. The source is standby firewall but the origin and originsicname are showing as active firewall details.

Alert - Checkpoint AntiVirus or AntiMalware Alert Detected

LEEF:2.0|Check Point|Anti Malware|1.0|Detect|devTime=1690067244   srcPort=33516     url=yearinesents.xyz    signature=Maze.TC.ov    malware=Maze      policyName=DCFirewallPolicy  cat=Anti Malware  sev=8 action=Detect     ifdir=outbound    ifname=Sync loguid={0xa79f6f9e,0xcdebc05b,0x4a8f2902,0x14c2509a}  origin=X.X.X.X      originsicname=CN\=PHY-NWK-DC-FRW-02,O\=CLUSTER..zzn8zj      sequencenum=880   version=5   confidence_level=1      dst=Y.Y.Y.Y log_id=2    malware_action=DNS query for a C&C site   malware_rule_id={CE6C83BD-AB76-4B53-819F-98CEC479FD68}      policy_time=1689944558  protection_id=00340173A protection_type=DNS reputation      proto=17    rule_name=Internet access to Manager and Gateway      rule_uid=3947ba36-03d7-4ada-b748-90ee083d1200   scope=Z.Z.Z.Z    service=53  session_id={0x64bc544c,0xc,0xa2a3aaca,0xc69bb62e}     smartdefense_profile=Optimized Threat Prevention      src=Z.Z.Z.Z      layer_uuid={269BAA7D-91DD-4356-A634-594DD105B2FE}     malware_rule_id={CE6C83BD-AB76-4B53-819F-98CEC479FD68}      smartdefense_profile=Optimized Threat Prevention      vendor_list=Check Point ThreatCloud

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-24 05:27 AM

Which JHF and enabled blades does this cluster have?

CCSM R77/R80/ELITE
0 Kudos
AshishS
Explorer
‎2023-07-24 05:46 AM
In response to Chris_Atkinson

JHF:- HOTFIX_R80_40_JUMBO_HF_MAIN Take: 192

Enabled blades:- fw vpn cvpn urlf av aspm appi ips identityServer anti_bot mon

0 Kudos
Fabz
Contributor
‎2023-07-24 06:00 AM

Did you or your time put those malicious URLs on security policy? 

Had experience before, my teammate put 1 malicious URL on policy to prevent communication to it, and CP will query to the internet to solving domain lookup.

since CP querying it, then detected on SIEM that CP has communication with malicous url.

0 Kudos
AshishS
Explorer
‎2023-07-24 06:07 AM
In response to Fabz

These URLs were blocked in policy a long time back. Why it would query for them now? and that is also from the standby firewall.

0 Kudos
Fabz
Contributor
‎2023-07-24 06:16 AM
In response to AshishS

need to involved TAC i think for better explanation. 

but for now, could try to delete it first on policy and check on SIEM again?

0 Kudos
AshishS
Explorer
‎2023-07-24 06:20 AM
In response to Fabz

There are multiple malicious URLs in that policy but only these 2 are getting queried. I don't think deleting these URLs will help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events