This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zsszlama
Contributor
‎2023-07-27 12:29 AM

How to indicate new URL to Check Point

Hi,

Lately we have encountered that when our customer creates a new a URL that is blocked by gateway due to Protection Type: DNS Reputation. As a workaround we create an exception for it.

My question is how we can indicate this to Check Point modify the reputation of the new URL to safe? I'm aware of https://urlcat.checkpoint.com/urlcat/main.htm but it's for categorization and in most cases the category of the URLs are valid, so it's not a solution.

An SK about a new URL's life would be also useful what we could show to our customers.

Could you please these questions?

Thanks,

Zsolt

0 Kudos
6 Replies
_Val_
Admin
Admin
‎2023-07-27 12:31 AM

As part of the process, DNS reputation checks how long a domain/URL exists. To avoid false positives, an exception is the best way, since you know in advance what that domain / URL would look like.


0 Kudos
zsszlama
Contributor
‎2023-07-27 01:28 AM
In response to _Val_

I thought that lifetime is the key indicator. Are you aware of any time limit for that even an SK what we could show to our customer?
(I don't want to advertise other vendors but I found such documents at the other big 2)

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-27 05:51 AM
In response to zsszlama

URL Categorization (for Access Control) and Threat Prevention are handled differently.
You have the correct URL for reporting the correct category.
For false positives with respect to Threat Prevention, those need to be done through TAC: https://help.checkpoint.com 

As for how the other “big two” handle this, you’re welcome to provide links to the relevant information since I’m not entirely clear what the actual question is here.

0 Kudos
zsszlama
Contributor
‎2023-07-27 11:12 PM
In response to PhoneBoy

URL categorization is valid according so that's why I was asking for guidance. Yeah, as a workaround we've created a threat prevention exception and raised a ticket.

Those are not great articles but at least something what I could share to a customer:

- https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPImCAO

- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Newly-Observed-Domain-Webfilter-cate...

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-28 10:33 AM
In response to zsszlama

I'm guessing the question is how we handle things we flag as "DNS Reputation."
Unfortunately, I haven't seen any documentation on this.
I do know that feedback is a part of the process, though. 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-07-27 12:47 AM

URL reputation is estimated by several services / sites, and CP is also using that information sources. You will have to contact each of these that report the bad reputation.

But it can be the AV / AB blade that is reporting a certain URL as containing malware (look into log details) - in this case, TAC can help after opening a CP SR#.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events