Configuring a Malware DNS Trap
The Malware DNS trap works by configuring the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to return a false (bogus) IP address for known malicious hosts and domains. You can use the Security Gateway external IP address as the DNS trap address but:
-
Do not use a gateway address that leads to the internal network.
-
Do not use the gateway internal management address.
-
If the gateway external IP address is also the management address, select a different address for the DNS trap.
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
Configuring the Malware DNS Trap parameters for the profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click the profile, and click Edit. |
|
4 |
From the navigation tree, click Malware DNS Trap. |
|
5 |
Click Activate DNS Trap. |
|
6 |
Enter the IP address for the DNS trap. |
|
7 |
Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests. |
|
8 |
Click OK and close the Threat Prevention profile window. |
|
9 |
Install the Threat Prevention policy. |
Configuring the Malware DNS Trap parameters for a gateway
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, click Gateways & Servers and double-click the Security Gateway. The gateway window opens and shows the General Properties page. |
|
2 |
From the navigation tree, select Anti-Bot |
|
3 |
In the Malicious DNS Trap section, select one of these options:
|
|
4 |
Click OK. |
|
5 |
Install the policy. |