Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
h2k
Participant

Block IP but not FQDN

Hi Checkmates,

Can we block the network traffic to the IP, but allow if the traffic is pointing to a FQDN?

The idea here is to block the scanners looking for public IPs for open ports.

If so, ho can we achieve that ? The software version used here is R80.40

 

Thanks,

Hari

0 Kudos
4 Replies
Bob_Zimmerman
Leader
Leader

There's not a way to do that, no. Connections are always to an IP address. The firewall can't tell if somebody else got the IP address by picking a number or by looking up a name.

You could set up canary ports or addresses. For example, if a client out on the Internet tries to connect to port 80 when you only offer HTTPS, block them for some period of time. Or reserve an IP at the end of your address range and declare it will never be used, and never put in DNS. Then if a client tries to connect, you know it's a scan and you can block them. They will get results until they hit the canary, but that's probably not avoidable.

h2k
Participant

Thanks! Do we have any other best practices to detect and block the suspicious traffic?

0 Kudos
Wolfgang
Mentor
Mentor

You can use SmartEvent to block those scanners. There is a protection available to block scanners for time x if detected.

h2k
Participant

Thanks! What are the best practices to implement SmartEvent within Checkpoint?

 

0 Kudos