topic Re: Network feed in Firewall and Security Management

Network feed

the_rock — Thu, 12 Jun 2025 01:59:25 GMT

Hey boys and girls,

Happy Friday! Figured would share this, as its super useful, specially for anyone who is not running AV or AB blades on the firewall to block known bad IPs out there. All you do is create new network feed (can only be tested if running R81.20) and then those can be used to block the traffic from those feeds. There are 8 of them and all you do is replace number 1-8 in the link below:

Github link -> https://github.com/stamparm/ipsum

feed example -> https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt

You can create 8 separate network feeds, simply keep replacing numbers sequentially, 1 to 8.

Thanks @delToro1 for sharing this in my other IOC post.

I set it up in my Azure lab and so far, got 140K hits in less than 1 day, that is super impressive even though its Azure, but I got no hosts behind the fw in that lab at all.

Example:

Thanks a bunch as well to Miroslav Stampar for creating this.

https://github.com/stamparm

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

IMPORTANT NOTE:

PLEASE DONT USE EMERG AND SAMPARM FEED 1 TO BEGIN WITH, since I had few customers having issues with those feeds. Samparm 2-8 are fine, no issues.

Best,

Andy

Re: Network feed

PhoneBoy — Fri, 26 Apr 2024 17:58:15 GMT

Nice one!

Re: Network feed

the_rock — Fri, 26 Apr 2024 17:59:07 GMT

Thank you 🙂

Re: Network feed

the_rock — Fri, 26 Apr 2024 18:26:34 GMT

Btw, just added all 8 feeds to see how many IP addresses were there, showed 234,909 all together, not bad 🙂

Andy

Re: Network feed

delToro1 — Mon, 29 Apr 2024 07:57:03 GMT

So cool!! 😉

Re: Network feed

the_rock — Mon, 29 Apr 2024 10:54:05 GMT

Absolutely!

Re: Network feed

the_rock — Tue, 30 Apr 2024 11:58:01 GMT

Just to add, I also found below, which probably has millions of bad IP addresses, as it contains LOTS of /16 subnets. I did a search and saw there was 131 entries for /16, so right there thats 8.5 million, plus remaining /21,/22,/23,/17 etc...would not be surprised its close to 15 M all together.

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Best,

Andy

Re: Network feed

Scottc98 — Wed, 01 May 2024 16:57:18 GMT

@the_rock What is the result if the feed in question on your block rule contains no entries at all (i.e. the feed source becomes empty and the previous cached files on the GW is cleared)? Does it result in no matches and therefore nothing will hit it? More fearful of some situation where it starts blocking more than it should be 🙂

Re: Network feed

the_rock — Fri, 17 May 2024 02:06:17 GMT

I noticed one in my lab with no entries, but had not seen any such issues as of yet, what you described.

Andy

Re: Network feed

the_rock — Wed, 01 May 2024 18:45:35 GMT

One thing I will say though, as a word of caution, though those feeds block BUNCH of bad IPs, but it could happen that something is blocked inadvertently where people may need access to the cloud portal. In my experience, its not often, but there is a chance for it.

Andy

Re: Network feed

rrbranco — Thu, 04 Jul 2024 15:57:26 GMT

https://support.checkpoint.com/results/sk/sk132193

...

IP Allow List (Exception List)

The IP whitelist provides a convenient way to allow certain IP addresses to bypass the enforcement actions, that have been defined by threat intelligence feeds.

This document provides instructions for managing IP addresses within the IP white list, also known as the IP exception list.

Edit the File:

vi $FWDIR/conf/ip_whitelist.eng

Append IP Addresses:

Add the desired IP addresses, one per line.

Save Changes:

Ensure you save the file after adding the IP addresses.

Exemption from Enforcement: IP addresses listed in the $FWDIR/conf/ip_whitelist.eng file will not be subject to enforcement actions even if they appear in any of the threat intelligence feeds.

…

“

Question:

Is this file located on the Management Server or GW ?
- If on the Management Server, how do we update it on MaaS ? The same way as we do with $FWDIR/lib/table.def ?
What is the syntax ? One IP per line or IP/mask to allow a network ?
Can it be Dynamically updated from a Datacenter object from AWS / Azure / GCP ... ?
How often it is read ? On a policy push operation ? I mean, if we include and/or exclude something, when it will start to be enforced with the recent changes ?

Besides that, IMHO information about "IP Allow list" could be included on the Admin Guide, like here (or close) for instance: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/Content/Topics-TPG/Uploading-Threat-Indicator-Files-through-SmartConsole_Custom.htm?tocpath=Custom%20Threat%20Prevention%7CConfiguring%20Advanced%20Threat%20Prevention%20Settings%7CConfiguring%20Threat%20Indicators%7C_____2

🖖

Best regards,

Re: Network feed

the_rock — Thu, 04 Jul 2024 16:02:16 GMT

The file is 100% on the mgmt server. Does it get auto updated? Im not so sure about that as per sk. Syntax is simply one IP per line, as mask will always be /32 anyway.

Andy

Re: Network feed

George_Ellis — Mon, 16 Sep 2024 13:30:03 GMT

Hey Andy,

Did you create the Network Feed objects as globals or strictly local (Generic DC Obj do that)?

Re: Network feed

the_rock — Fri, 28 Feb 2025 14:28:05 GMT

Hey everyone,

I know this post is almost year old, but I feel its important to highlight something. I had customer tell me recently they used emerg feed below and it caused issues on their network, so just a word of caution, maybe do NOT use it in the beginning, since it has about 15.5 M IP addresses, so can definitely cause problems. Safe to use other 8.

To be precise, number of IPs is 15,455,886

Andy

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Re: Network feed

PhoneBoy — Fri, 28 Feb 2025 17:13:41 GMT

15 million IPs is a bit beyond what we tested for Network Feeds (2 million).
Possible that has something to do with it.

Re: Network feed

the_rock — Fri, 28 Feb 2025 17:15:49 GMT

I think so too.

Andy

Re: Network feed

the_rock — Fri, 28 Feb 2025 22:04:00 GMT

Latest update. Below link also contains some great stuff for IOC.

Nice weekend everyone 🙂

Andy

https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file

Re: Network feed

DeltaUnit — Fri, 07 Mar 2025 22:03:08 GMT

I got this running in my lab and shot up my CPU to 90% - had to get rid of it.

Re: Network feed

the_rock — Fri, 07 Mar 2025 23:57:12 GMT

Just remove emerg one and samparm 1, others are fine.

Andy

Re: Network feed

the_rock — Sat, 08 Mar 2025 18:07:16 GMT

This is super useful info too, since @PhoneBoy mentioned 2 million entries is the limit currently, and emerg net feed has more less, about 15 M entries, so definitely way more than officially supported. Not sure why stamparm 1 feed is causing issues for people, since its less than 200K entried, but we had one customer use stamparm 2-8 feeds and in 4-5 days, they had almost 10M hits, so definitely working well. For the context, I had a customer do this while ago, they are smaller hospital, and they told me in a week, there was almost 100M hits, compated to few thousands with manual IPs they were adding before doing net feeds.

Best,

Andy