CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: How does AntoBot work with a proxy?

  1. #1
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    15

    Default How does AntoBot work with a proxy?

    We are currently looking at buying the Antibot blade. I know this works by watching all traffic going through the firewall and looking for hosts that are trying to contact C&C servers etc.

    Now for the question. If the only access we allow to the Internet is from our proxy server how would antibot help us? It would basically just be saying that the proxy is infected and we would have to correlate back the logs on the proxy server to see which client it was.

    Or is there some way to integrate with Websense Triton?

  2. #2
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    8

    Default Re: How does AntoBot work with a proxy?

    Quote Originally Posted by phlegm View Post
    We are currently looking at buying the Antibot blade. I know this works by watching all traffic going through the firewall and looking for hosts that are trying to contact C&C servers etc.

    Now for the question. If the only access we allow to the Internet is from our proxy server how would antibot help us? It would basically just be saying that the proxy is infected and we would have to correlate back the logs on the proxy server to see which client it was.

    Or is there some way to integrate with Websense Triton?
    Where is the proxy located? If it's behind the gateway and you are using identity awareness you could tag users using x-forward-for.

  3. #3
    Join Date
    2014-07-21
    Posts
    57
    Rep Power
    6

    Default Re: How does AntoBot work with a proxy?

    Hi,

    it really depends on where in the communication your proxy is.

    In our environment the clients communicate through the firewall to the proxy and the proxy through the firewall to the internet. So we can see if a client tries to reach something strange before it goes through the proxy.

  4. #4
    Join Date
    2005-11-18
    Posts
    64
    Rep Power
    15

    Default Re: How does AntoBot work with a proxy?

    It appears that Antibot will use the X-Forwarded-For header if put on by the proxy.

    If I configure Websense to use this then I will get reports by Antibot showing the actual source instead of just everything coming from the proxy.

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: How does AntoBot work with a proxy?

    It's exceptionally helpful if the firewall can see DNS requests coming from the clients directly (and not an internal DNS server).
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Proxy
    By DaveCullen86 in forum R77.10
    Replies: 5
    Last Post: 2014-09-22, 16:39
  2. Uses for proxy arp outside of NAT
    By PhoneBoy in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2012-09-16, 07:56
  3. Transparent Proxy/redirect does not work
    By uebi_at in forum Check Point UTM-1 Edge Appliances
    Replies: 3
    Last Post: 2009-01-29, 08:38
  4. FW-1 Request to proxy other than next proxy
    By intehnet in forum Miscellaneous
    Replies: 0
    Last Post: 2005-12-13, 00:01
  5. Request to proxy other than next proxy resource http://proxy.foo.com
    By roadrunner in forum Content Security/Security Servers/CVP/UFP
    Replies: 0
    Last Post: 2005-08-14, 12:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •