We have recently added checkpoint and the "suspicious DNS traffic" rule is triggering incidents. We have identified the DC as per the templates but are trying to decrease incidents.
( ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationPort = 53 ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2003 - DC" } ) ) ) AND ( ( "Event Name" = TCPTrafficAudit ) AND ( DestinationMachine outside::{ "Windows Server 2008/2012 - DC" } ) )
I ran the above, one of the destination machine was the IP of the actual firewall?
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.