Dynamic Block Lists for Check Point firewalls

Document created by Daniel Husand Employee on Feb 7, 2017Last modified by Dameon Welch Abernathy on Jul 11, 2017
Version 5Show Document
  • View in full screen mode

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.

 

At this moment the following blocklists are implemented:

  • OpenBL
  • Emerging Threats: Known Compromised Hosts
  • TOR exit nodes
  • BruteforceBlocker
  • Blocklist.de All
  • Talos
  • Dshield

 

The feeds are downloaded, sanity checked and then published on cpdbl.net for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.net

 

Screenshot of the interface:

cpdbl.png

 

Gateway details:

These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.

Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.

VSX is not supported for now.

 

Workflow:

The server(cpdbl.net) downloads all the lists nightly and

 

  • Validates that all entries are valid IPs.
  • Baselines the lists, makes sure a list does not suddenly grow enormously.
  • Publishes the lists for the clients to download.

 

The client:

 

  • Downloads fresh lists every 12 hours
  • Times out entries in the block-table after 12 hours, hence if cpdbl.net is unavailable all entries will be removed at this time.
  • Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)
  • Installs validated entries into blocking tables and waits for 12 hours before starting over again.

 

 

To monitor the blocked IP addresses:

R77.30:

In SmartView Tracker, search for "SecureXL message: Quota violation".

 

R80:

In SmartLog, search for "blade:Firewall Alert".

6 people found this helpful

Attachments

    Outcomes