We see requests going through our Checkpoint firewall from various Client Types e.g:
Other: polaris botnet
Other: Abbyy.Internet
Example log:
We wonder if it's possible to block by User Agent or Client Type.
Any ideas?
We are on 80.30 with all features except DLP and Threat Extraction/Emulation
Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)
In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.
btw, IPS have ability to reject traffic by specific header too as below:
hth,
Roman.
Hi,
There is built in application for verity of browsers that can be used in the rule base as additional ordered layer of parent rule for inline layer, as result you can allow/block specific Browsers and still maintain general control of other apps.
For generic/custom user-agents its possible to create custom app with a defined specific user-agent.
For custom app, use the Signature Tool for custom Application and URL. (sk103051)
Kind regards,
Roman.
Should not have additional performance impact (the user-agent inspected already as its displayed in your log), I didn't try OR command, but PCRE have it (maybe best to try in lab 1st)
In your screenshot IPS was already triggered on this traffic, depends on the signature, its worth to set it on prevent (or detect at first to understand which additional traffic falls under it) - this might be the simplest way for your end goal.
btw, IPS have ability to reject traffic by specific header too as below:
hth,
Roman.
I have been toying a bit with client types for blocking unwanted bits of traffic and potential malware for http/https traffic to the internet. Here is what my rule looks like:
As you can see I tried a 'drop what doesn't match' type rule, so I have negated what I wish to allow to drop everything else. 'Good client types' are applications I have created based on User-Agent, some windows BITS and other agents for windows CRL checks etc.
Things I've noticed:
1) Traffic that is bypassed by HTTPs inspection doesn't match the rule and gets dropped, so Categories like 'Financial Services' and 'override categorization' sites need to be allowed before this rule.
2) Traffic that doesn't contain User-Agent header or that Checkpoint can't determine a client type for, gets dropped.
I spent quite a bit of time checking to see whether this kind of approach would work ok in a user to internet type environment, but unfortunately I have a feeling I will need to drop the User Agent approach for filtering noise and malware. The biggest issue I find is with allowing traffic that doesn't carry a User Agent header, or that Checkpoint can't locate client type for.
If anyone has attempted anything like the above can they advise on their approach?
Thanks,
A
| User | Count |
|---|---|
| 3 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
Topic No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Wed 20 Nov 2024 @ 05:00 PM (CET)
Under the Hood: DO NOT Renew your WAF without watching THIS!!Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
