topic Re: Blocking malicious IP addresses SAMP rules in Firewall and Security Management

Blocking malicious IP addresses SAMP rules

israelgl — Mon, 20 Jun 2022 08:12:30 GMT

hey all,

I'm using the script from sk103154 - How to block traffic coming from known malicious IP addresses, and I have a database of 100,000 malicious IPs, now I realize that I have only a little less than 7000 samp rules.

Is it because of a limited number of samp rules or is that something with the script from the sk?

Re: Blocking malicious IP addresses SAMP rules

Diego_dg — Mon, 20 Jun 2022 10:20:10 GMT

Hi, I don't know if this could be related with your issue, but there is a limit in the size of the SAM file. You can enable/disable or change it on the Gateway object properties, under Other-> SAM , "purge sam file when it reaches...".

Re: Blocking malicious IP addresses SAMP rules

G_W_Albrecht — Mon, 20 Jun 2022 10:21:51 GMT

Did you try sk112454, (6) Deny List Configuration

The deny list is configured using "fwaccel dos deny" commands.
In R80.40 and higher versions, the deny list scales to millions of IP addresses.

Re: Blocking malicious IP addresses SAMP rules

G_W_Albrecht — Mon, 20 Jun 2022 11:37:22 GMT

In order to block designated IP list, Check Point strongly recommend to use Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

Re: Blocking malicious IP addresses SAMP rules

Diego_dg — Mon, 20 Jun 2022 12:29:47 GMT

But, if I am right, Custom Intelligence Feeds are only available if there is a TP license (Antivirus, AntiBot) on the GW, isn't it?

Re: Blocking malicious IP addresses SAMP rules

israelgl — Mon, 20 Jun 2022 14:28:49 GMT

custom intelligence feed block traffic from outside only in r81.

in r80.40 I used sk103154

Re: Blocking malicious IP addresses SAMP rules

Sorin_Gogean — Mon, 20 Jun 2022 16:47:16 GMT

You are correct the IOC are used by Antivirus and AntiBot blades.

For what you needed, I would look into Generic DataCenter objects - we're using them for similar needs/requirements like you.

Generic Data Center Object

From R81, you can enforce access to and from IP addresses defined in files located in external web servers.

To do that, use the Generic Data Center object in SmartConsole. The Generic Data Center object points to a JSON file in an external server which contains the IP addresses which you want to access. This way, when the Generic Data Center object is used in a policy, SmartConsole can retrieve the IP information from the JSON file as necessary.

You can host the JSON file also locally on the Security Management Server.

This feature is useful in cases where one administrator creates the Rule Base and defines the objects, and another administrator manages the content of these objects.

This feature is supported in the Access Control, Threat Prevention, HTTPS Inspection, and NAT Rule Bases.

The feature is supported only on a Security Management Server R81 and higher and Security Gateway (Cluster) R81 and higher.

After you create the Generic Data Center object, any change made in the file is automatically enforced on the Security Gateway with no need to install policy.

To create the JSON file, follow the guidelines described in sk167210.

For more information, see Generic Data Center Objects."

Ty,

Re: Blocking malicious IP addresses SAMP rules

israelgl — Wed, 22 Jun 2022 05:17:52 GMT

i don't want to use object because i want to reduce load from the applince

Re: Blocking malicious IP addresses SAMP rules

Sorin_Gogean — Wed, 22 Jun 2022 06:02:01 GMT

IOC feeds or Generic DataCenter objects would imply similar appliance load, from my knowledge.

Only difference is that they apply at different levels.

Your choice 😊 .

Ty,

Re: Blocking malicious IP addresses SAMP rules

israelgl — Thu, 23 Jun 2022 14:35:19 GMT

I used "fwaccel dos deny" and it works great and I even created a script that update the list every 20 min.

but I didn't find a way to see match table or logs, is there an option to log the drops?

Re: Blocking malicious IP addresses SAMP rules

Diego_dg — Thu, 23 Jun 2022 14:49:02 GMT

We also use "fwaccel dos deny" and we see the drops on the logs, with the message shown below, maybe you need to configure "log drops: enable" with command "fwaccel config set ":

The packet's source IP is in the deny list (SecureXL device 0)

feature_name:

DOS/Rate Limiting Deny List

comment:

Deny list

Re: Blocking malicious IP addresses SAMP rules

George_Ellis — Thu, 23 Jun 2022 18:39:11 GMT

I have laid out a strategy for my company to use this too (sk103154). The script is easily modified to also add your own site to maintain a list of internally designated IPs to drop. And, it should work on VSX. Then you just need a process to update your internally maintained blacklist and a hosting site inside your company.