Information
The 'Domain Name Over TCP (Zone transfer)' is a global property setting which is used to allow or reject all the TCP-type DNS packets to and from anywhere. These rules are considered as rule zero which are executed before any user-defined rules.
Rationale:
If this rule is enabled, it accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large. The security policy is made up of rules in the Firewall Rule Base. Other than the rules defined by the administrator, The Check Point Security Gateway also creates Implied Rules, which are defined in the Firewall Global Properties. The Check Point Security Gateway places the implied rules first, last, or before last in the Firewall Rule Base. The administrator can decide whether or not to log implied rules.
First > The Implicit rule will be placed before the explicit rules.
Last > The Implicit rule will be placed after the explicit rules.
Before Last > The Implicit rule will be placed before the last explicit rule.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Go to the following path and Configured the Accept Accept Domain Name over TCP (Zone Transfer).
SmartConsole > Gateways & Servers > select each Gateway > Firewall
Unchecked the Accept Accept Domain Name over TCP (Zone Transfer)