topic Re: How to block traffic coming from known malicious IP addresses R81.10 in Firewall and Security Management

How to block traffic coming from known malicious IP addresses R81.10

Rodrigo_Silva — Thu, 23 Dec 2021 16:21:02 GMT

Hi everyone.

After spending some time trying to configure (via SmartConsole R81.10) the blocking of IP addresses known as malicious, based on sk103154, I finally managed to make it work.

I was using the Check Point list (https://secureupdates.checkpoint.com/IP-list/TOR.txt) and whenever I looked at the logs I got the error "Feed format problem. Feed format not supported".

The problem is that we are not declaring a file in .csv format.

To solve this problem, just select "IP Address" in the type field, and enter "1" in the "Value" field of the custom feed settings.

Good luck to everyone.

Re: How to block traffic coming from known malicious IP addresses R81.10

the_rock — Thu, 23 Dec 2021 19:30:36 GMT

Well done sir, thank you for sharing this. Happy holidays!

Andy

Re: How to block traffic coming from known malicious IP addresses R81.10

Cyber_Serge — Fri, 24 Dec 2021 01:14:56 GMT

Yes, we were recently exploring the feature/function to block IP using custom IOC as sk132193 described. Most of time the issue we ran into with the feed is format. Since different feed come in different format, each IOC feed need to have the format defined correctly. (In your example, type is IP address, and Value is located on 1st column). In some feed column 1 is name and column 2 is value (IP address).

Do you have any luck with Threat Intel feed that require API key access?

Re: How to block traffic coming from known malicious IP addresses R81.10

Rodrigo_Silva — Mon, 27 Dec 2021 15:30:29 GMT

That's exactly it.
I haven't tested it with API key yet.
I'm researching it and as soon as I get something I'll post it here.
If you can get something post it here too, please.

Re: How to block traffic coming from known malicious IP addresses R81.10

DDiaz — Mon, 27 Dec 2021 15:46:27 GMT

Hi Rodrigo

Do you get output form this command?

Printing existing feeds

[Expert@HostName:0]# ioc_feeds show

Regards

Re: How to block traffic coming from known malicious IP addresses R81.10

Rodrigo_Silva — Mon, 27 Dec 2021 17:27:39 GMT

Hi @DDiaz

I noticed that feeds added via SmartConsole only appear in SmartConcole, and the same is true for feeds added via cli.

I didn't find this limitation in the documentation.

On sk132193 you can find the list of cli commands.

Regards

Re: How to block traffic coming from known malicious IP addresses R81.10

DDiaz — Mon, 27 Dec 2021 20:06:28 GMT

Exactly that is my point, i would like to know how to check the feeds are working properly if I use smart console. I had a case with the TAC and told me is a must to run the CLI commands to make it work

Re: How to block traffic coming from known malicious IP addresses R81.10

Rodrigo_Silva — Mon, 27 Dec 2021 21:28:57 GMT

First check if the updates are ok.
You can check this by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

If everything is fine, you will see the Prevents in the logs on those same blades.

In my environment, I only see outgoing traffic being prevented.

My expectation was that all traffic originating from IPs known to be malicious would be blocked.

Re: How to block traffic coming from known malicious IP addresses R81.10

DDiaz — Thu, 30 Dec 2021 11:52:08 GMT

I can not find this logs in my environment, even if i curls the Urls meaning they are being downloading properly. I would appreciate if CP edit the SK with more details. Is not clear the steps on this. I had all this questions and TAC told us we must to run the cli commands. I can see in your environment works in another way

Regards

Re: How to block traffic coming from known malicious IP addresses R81.10

the_rock — Thu, 30 Dec 2021 13:01:48 GMT

I agree with you. SK could definitely be edited with more details.

Re: How to block traffic coming from known malicious IP addresses R81.10

Cyber_Serge — Thu, 30 Dec 2021 19:19:20 GMT

For my experience, the feed I added through smart console are added to all gateway managed by the smart management server (which is what I want).

Since your feed is Tor Exit node, it make sense to observe it in outgoing traffic not incoming traffic.

If you want to see something for incoming traffic, try the Talos feed or AlienVault feed, you will see some external IP probing the firewall and prevented by the IPS/IOC feed.

Re: How to block traffic coming from known malicious IP addresses R81.10

Cyber_Serge — Thu, 30 Dec 2021 19:26:06 GMT

@DDiaz , there is a troubleshooting section all the way at the bottom of sk132193. It includes many commands you can use to narrow down the issue.

First have to make sure the feed is pulling correctly, then have to make sure in read/ingest/interpret correctly by Check Point Gateway.

In my experience, the first issue was feed not pulling correctly since I put http instead of https; 2nd issue was the format which I corrected it like @Rodrigo_Silva screenshot show us.

Note that another issue I ran into is: if you are not pulling a remote feed and are importing a csv file locally from smart console, the csv file need to follow exact format as sk132193 describe under the section "CSV (*.csv) format", which contain 7 fields: UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

Re: How to block traffic coming from known malicious IP addresses R81.10

DDiaz — Thu, 30 Dec 2021 19:45:02 GMT

Thank you very much @Cyber_Serge . Will try that ASAP. Will post my results

Re: How to block traffic coming from known malicious IP addresses R81.10

Nir_Naaman — Mon, 03 Jan 2022 19:55:07 GMT

TOR exit node IPs are relevant for both ingress and egress blocking, See https://www.cisa.gov/uscert/ncas/alerts/aa20-183a for an analysis.

An operationally viable approach for ingesting IOC feeds into Check Point enforcement points is provided by Infinity NDR. The feeds are managed centrally, and the individual IOCs can be seen and managed in the NDR application. They can then be selectively delivered via NDR "data sets", which are compatible with sk132193.

Note: inbound blocking (as well as IPv6 indicators) are supported starting from R81.

User guide: https://community.checkpoint.com/t5/CloudGuard-NDR/Infinity-NDR-Intel-User-Guide/m-p/131434

Re: How to block traffic coming from known malicious IP addresses R81.10

Mstay — Wed, 05 Jan 2022 15:41:58 GMT

Guys

What is the output of this command in your environment?

cat $FWDIR/conf/ioc_feeder.conf
{
"external_ioc": "on",
"interval": "300",
"ioc_bundle": "/database/ca_bundle.pem",
"feeds": {
}
}
[Expert@FW-MGMT-UY:0]#

The interval does not change even if you modify it from:

To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.

Re: How to block traffic coming from known malicious IP addresses R81.10

Ruan_Kotze — Thu, 06 Jan 2022 08:03:32 GMT

For what it's worth, you will also need to be on at least R81 to drop incoming traffic.

Re: How to block traffic coming from known malicious IP addresses R81.10

Mstay — Tue, 11 Jan 2022 14:35:16 GMT

Hi,

I am running R81.10 in the SMS.

URLS used for feed (or https). http://secureupdates.checkpoint.com/IP-list/TOR.txt

Custom feed settings

Value 1 and type IP Address

Enabled Blades: Full Threat Prevention

curl_cli -v http://secureupdates.checkpoint.com/IP-list/TOR.txt for SMS, GW Successfully

I am able to download properly the txt from the PC running Smart Console

I am not able to see the state of the Fetches by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

Do i missing something?

Regards

Re: How to block traffic coming from known malicious IP addresses R81.10

Mikael — Tue, 11 Jan 2022 15:15:21 GMT

Disclaimer that I'm still on R81 but here I can see the difference between something configured locally and something from the GUI...

Cheers

Re: How to block traffic coming from known malicious IP addresses R81.10

Mstay — Tue, 11 Jan 2022 15:27:55 GMT

Which command was used [Expert@HostName:0]# ioc_feeds show ?

I just have output using CLI IOC feeds. If smart console method is used nothing show

There is a lot off different things regarding this issue. SK must be updated, is very confusing.

Re: How to block traffic coming from known malicious IP addresses R81.10

Mikael — Tue, 11 Jan 2022 15:40:21 GMT

Yes, thats from ioc_feeds show...

I have 7 feeds configured so there was too much to blur out to get it all in one screenshot 😀