CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: ABOT policy requirements

  1. #1
    Join Date
    2012-01-12
    Posts
    7
    Rep Power
    0

    Default ABOT policy requirements

    Hey. We've had the ABOT blade on for some time now, with it in DETECT mode, but it never really seemed to get anything. I suppose that is a good thing, but the likelihood of that is small IMO. One theory on why it has never really caught anything is that the gateway it is on has virtually no rules for http/https on it. 95% of the web traffic (or any traffic for that matter) going to this gateway (it is the default route for the network) is dropped, only clearly defined traffic is allowed on the main policy. (In case you're wondering where the web traffic goes, it is to the proxies via wpad file, not through a firewall). Is the reason that the ABOT blade hasn't picked anything substantial up due to the fact that we block most outbound traffic, before it makes it to the ABOT blade? I've heard that is how AppControl works too...you need to allow the protocol first in the main policy, and that will let APPControl figure out what it is and allow accordingly.

    I should note, that the one thing that it does pick up consistently is some DNS protection, and DNS in these cases is open to the Internet. So that fits my theory that because we are locked down pretty tight already, ABOT doesn't have a change to 'see' the bad traffic.

    Kind of rambled on there a bit, hopefully that made a little bit of sense.

    Thanks

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: ABOT policy requirements

    It makes sense and it's basically an accurate explanation of what is happening.
    If the firewall policy is blocking the vast majority of outbound traffic, then there is not much for the other blades to look at other than initial packets (e.g. TCP SYN), which don't indicate a whole lot on their own. :)
    DNS queries that go through the firewall can indicate malicious activity if they are queries to sites known to contain malware.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2012-01-12
    Posts
    7
    Rep Power
    0

    Default Re: ABOT policy requirements

    That's good from our side I suppose that we're locked down enough that bots likely won't get out. Bad though since it looks like the tool isn't catching anything. I suppose the same goes for AppControl. If I really wanted to use that more, I'd have to open http/https to the Internet and rely on AppControl rules to filter the traffic.
    Thanks for the reply!

Similar Threads

  1. R70.1 RAM requirements
    By quartino in forum Installing And Upgrading
    Replies: 4
    Last Post: 2009-08-27, 18:18
  2. IPSO 4.2 ram requirements
    By hu_quan in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2008-04-04, 07:24
  3. NSA Requirements
    By cp-nimzo in forum Nokia NSA Exams
    Replies: 1
    Last Post: 2007-02-14, 12:25
  4. NSF Licencing requirements
    By Jerryb in forum Licensing
    Replies: 1
    Last Post: 2006-07-24, 15:23
  5. License Requirements
    By ddarby1 in forum Licensing
    Replies: 2
    Last Post: 2006-03-10, 16:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •