Configuring Anti-Bot & Advanced DNS Settings
Watch the Video
In the profile settings, go to Anti-Bot & Advanced DNS Settings.
In the General section, configure the Anti-Bot
Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. UserCheck Settings:
-
Prevent - Select the UserCheck
Functionality in your Security Gateway or Cluster and endpoint clients that gives users a warning when there is a potential risk of data loss or security violation. This helps users to prevent security incidents and to learn about the organizational security policy. message that opens for a Prevent action -
Ask - Select the UserCheck message that opens for an Ask action
Configure Advanced DNS Settings
Enable/Disable Advanced DNS features:
-
DGA (Domain Generation Algorithm) - This feature detects domains generated by a DGA, mainly used for C&C communication of malware.
-
DNS Tunneling (domain name based) - The feature detects DNS tunnels that use domain names to transfer data.
-
NXNS Attack Detection - This feature detects whether the DNS replies exhibit behavior consistent with NXNS Attack.
Protocol related features:
-
DoH (DNS over HTTPS) - Allows the inspection of DoH traffic. This requires enabling HTTPS Inspection
Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. The feature supports both RFC 8484 and the non-RFC variant, which uses JSON to transfer the requests/responses (supported by a main DNS Server, such as Google, Cloudflare, and others).
DoH is supported on HTTP/1.2 and HTTP/2.
Configuring a Malware DNS Trap
The Malware DNS trap works by configuring the Security Gateway to return a false (fabricated) IP address for known malicious hosts and domains. You can use the Security Gateway external IP address as the DNS trap address but:
-
Do not use a gateway address that leads to the internal network.
-
Do not use the gateway internal management address.
-
If the gateway external IP address is also the management address, select a different address for the DNS trap.
You can also add internal DNS servers to better identify the origin of malicious DNS requests.
Using the Malware DNS Trap, you can detect compromised clients by checking logs with connection attempts to the false IP address.
At the Security Gateway level, you can configure the DNS Trap according to the profile settings or as a specific IP address for all profiles on the specific gateway.
Malware DNS Trap supports only IPv4.
Configuring the Malware DNS Trap parameters for the profile
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole |
|
2 |
From the Custom Policy Tools section, click Profiles. The Profiles page opens. |
|
3 |
Right-click the profile, and click Edit. |
|
4 |
From the navigation tree, click Malware DNS Trap. |
|
5 |
Click Activate DNS Trap. |
|
6 |
Enter the IP address for the DNS trap. |
|
7 |
Optional: Add Internal DNS Servers to identify the origin of malicious DNS requests. |
|
8 |
Click OK and close the Threat Prevention profile window. |
|
9 |
Install the Threat Prevention policy. |
Configuring the Malware DNS Trap parameters for a gateway
|
Step |
Instructions |
|---|---|
|
1 |
In SmartConsole, click Gateways & Servers and double-click the Security Gateway. The gateway window opens and shows the General Properties page. |
|
2 |
From the navigation tree, select Anti-Bot and Anti-Virus. |
|
3 |
In the Malicious DNS Trap section, select one of these options:
|
|
4 |
Click OK. |
|
5 |
Install the policy. |