topic Re: Blacklisting large no. of IPs in Firewall and Security Management

Blacklisting large no. of IPs

Sh3r — Tue, 15 Mar 2022 17:26:47 GMT

I have R80.40 Cluster where i need to blacklist 17000 IPs.. these are all rogue IPs shared by our Security Advisories.

Currently i do blacklisting via a manual object in ACL which i update regularly but updating 17000 IPs does not seem plausible , I am not sure whether its possible to block such a no. of IPs in Checkpoint at once.. What is the best way to implement this ? i am aware about fwaccel dos blacklist but is there a limit on the no. of IPs there ? Moreover i dont think i can see logs in SmartConsole for fwaccel blacklist.

Please advise.

Re: Blacklisting large no. of IPs

genisis__ — Tue, 15 Mar 2022 17:32:23 GMT

I would suggest IOC feed from a trusted source, alternatively you can create a a .csv file with the IPs and then add these using mgmt_cli command.

I would suggest you break down the file into smaller chunks though, perhaps try 1000 first, but I would probably not go higher then 3000 in one go.

When I did my import I first created a group and then uploaded the hosts which where then added to this group.

Re: Blacklisting large no. of IPs

G_W_Albrecht — Tue, 15 Mar 2022 17:35:43 GMT

Lot of discussions can be found here:

https://community.checkpoint.com/t5/General-Topics/Blacklisting-rogue-IPs/m-p/141123#M25006

https://community.checkpoint.com/t5/Scripts/Dyn-IP-Block-Dynamic-Blocking-of-IP-Addresses-from-URL/m-p/104653#M728

https://community.checkpoint.com/t5/Security-Gateways/Blocking-malicious-IP-addresses-sk103154-in-VSX/m-p/78768#M9201

Re: Blacklisting large no. of IPs

Sh3r — Tue, 15 Mar 2022 18:33:21 GMT

i have use Csv method but i am not sure how much ip address an object can accmodate..is there a limit to it ? suppose i have created a blacklist object and i add IPs to it via csv file and mgmt cli .. but how far can i go with updating that object ?

Re: Blacklisting large no. of IPs

the_rock — Tue, 15 Mar 2022 23:46:23 GMT

This is what TAC sent me couple of years back and honestly, I find best method, or you could se script via api command line from dashboard to place multiple entries.

--->To add address-range via API:
mgmt_cli add address-range --batch address-ranges_full.csv

#cat address-ranges_full.csv
name,ip-address-first,ip-address-last
range1,10.0.0.0,10.0.0.100

---> To add a network via API:
mgmt_cli add network --batch networks.csv

#cat networks.csv
name,subnet,subnet-mask
network1,10.10.10.0,255.255.255.0
network2,20.20.20.0,255.255.255.0
network3,30.30.30.0,255.255.255.0

---> To add a host
mgmt_cli add host --batch test.csv

#cat test.csv
name,ip-address
obj1,192.168.1.1

If you do it via dashboard api cli, you would do something like this (can acomodate multiple entries)

add host name "BAD_185.206.24.70" ip-address "185.206.24.70"

Re: Blacklisting large no. of IPs

SSlater — Wed, 16 Mar 2022 05:46:59 GMT

I recommend sk103154, and setting up a list on your own server, that you can update in your own convenient manner.

How to block traffic coming from known malicious IP addresses

Once we have a feed, we can look to this as the blacklist.

In our SR/Example, we see https://secureupdates.checkpoint.com/IP-list/TOR.txt but you can use a custom Address of your choosing.

Re: Blacklisting large no. of IPs

SSlater — Wed, 16 Mar 2022 05:49:27 GMT

***In versions R81 and higher we recommend to use Custom Intelligence Feeds instead of the IP Block.

Re: Blacklisting large no. of IPs

genisis__ — Wed, 16 Mar 2022 08:45:51 GMT

Pretty much how I do it, only think I would add is doing a dos2unix on the .csv file.

name ip-address color comments groups
EXT_a.b.c.d_BLOCKIP, 1.1.1.1, red, Blocked IP, BLOCKED_IPs

Re: Blacklisting large no. of IPs

Sh3r — Wed, 16 Mar 2022 09:37:42 GMT

Is there a limit on the object a continuously update here..suppose i am creating a blacklist object at the top of ACL and updating it continuously..so any upper limit on the amount of IP addresses that can be accommodated in an object ?

Re: Blacklisting large no. of IPs

genisis__ — Wed, 16 Mar 2022 09:51:02 GMT

I'm not 100% but I think its something like 4000.

Re: Blacklisting large no. of IPs

Sh3r — Wed, 16 Mar 2022 12:45:20 GMT

ohh..i have to add 17k IPs 😞

Re: Blacklisting large no. of IPs

the_rock — Wed, 16 Mar 2022 13:01:16 GMT

Not that Im aware of, but you may want to confirm with TAC. I never found any official documentation about it, sort of like if there is number of rules that mgmt dashboard can support...its all theoretical really.

Re: Blacklisting large no. of IPs

Sh3r — Wed, 16 Mar 2022 13:14:38 GMT

Thanks for the article but is this only for incoming connections ? Also, i have to apply blacklisting in vsx environment as well but as i see here its not supported for vsx

Re: Blacklisting large no. of IPs

genisis__ — Wed, 16 Mar 2022 13:32:15 GMT

I've used the mgmt_cli command in a vsx environment and not had any issues.

Re: Blacklisting large no. of IPs

the_rock — Wed, 16 Mar 2022 14:53:24 GMT

@genisis__ is right...you can do it 100%.

Re: Blacklisting large no. of IPs

Sorin_Gogean — Tue, 12 Apr 2022 16:36:06 GMT

Hello everyone,

We were looking for a similar process and block certain BAD IP's (or lists of IP's) and we didn't decide yet if we should go with IOC_feeds (that will be used by AntiBot for dropping traffic) or Generic DataCenter Objects that we used on Firewall rules.

So can you point us to what would be better fitted for this purpose - block traffic to/from IP's ( we don't address URL's through those) .

Thank you,