https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247392#M48320 <P>And is it possible that even using this method, if it is necessary to add some IPs that report as “Malicious” to our monitoring area, we can somehow add them to the referral “sources”?</P> <P>For example, you get 3 super strange “Malicious” IPs reported to you.</P> <P><STRONG><EM>48.190.1.5</EM></STRONG><BR /><STRONG><EM>35.120.2.2</EM></STRONG><BR /><STRONG><EM>191.2.2.4</EM></STRONG></P> <P>(<STRONG>Just to give you an example</STRONG>), and you are already using the Network Feeds.<BR />Can these IPs be “tied” to this “Network Feeds” operation? Or would you have to manually create explicit rules to block these particular IPs?</P> Sat, 26 Apr 2025 00:22:21 GMT Matlu 2025-04-26T00:22:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247386#M48315 <P>Hello, Mates.</P> <P>I have an environment of several VSX Clusters, which are managed from an MDS.</P> <P>We currently have many Perimeter FWs, and when we have certain IPs reported as “Malicious”, we have the need to block them in explicit rules that we already have created in each of the FWs.<BR />The problem with doing it manually, is that this task “takes a lot of time”, and we want to use some automated way to be able to execute this task.</P> <P>Is there any way in the Check Point solutions, that allows us to have a more “automated” environment for this type of tasks?</P> <P>Thanks for your comments.</P> Fri, 25 Apr 2025 23:32:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247386#M48315 Matlu 2025-04-25T23:32:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247387#M48316 <P>Ola bro,</P> <P>How are you? Have a look at my post from last year, hope it can help you. Network feeds do NOT require av or ab blades enabled. I would say to begin with, do NOT use stamparm1 and emerg feeds, others are fine, stamparm 2-8.</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317</A></P> <P>Best,</P> <P>Andy</P> Fri, 25 Apr 2025 23:51:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247387#M48316 the_rock 2025-04-25T23:51:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247388#M48317 <P>Hello, my friend.</P> <P>Some of my Perimeter FWs do have the AV and AB blades enabled, <STRONG>but others do NOT</STRONG>.</P> <P>Would this way of working with the “Network Feed” work as well in the FWs that have these blades enabled?</P> <P>Greetings.</P> Sat, 26 Apr 2025 00:02:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247388#M48317 Matlu 2025-04-26T00:02:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247390#M48318 <P>Yes sir, 100%. Regardless whether you have those blades enabled or not, network feeds work fine. I would make sure you have R81.20 installed, as it lets you test the feeds beforehand. Just for the context, I work often with a smaller hospital (I mean, for comparison, its not the size of Ankara city hospital in Turkey, nothing like that lol), but they were doing the same method for a long time like what you described, adding IPs manually.</P> <P>I showed them the same post, they added ALL the feeds, in 3 days, they had more than 10 million hits, while before implementing net feeds, there was about 25k hits in 1 year.</P> <P>Andy</P> Sat, 26 Apr 2025 00:09:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247390#M48318 the_rock 2025-04-26T00:09:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247391#M48319 <P>reference</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Network_Feed.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Network_Feed.htm</A></P> Sat, 26 Apr 2025 00:18:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247391#M48319 the_rock 2025-04-26T00:18:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247392#M48320 <P>And is it possible that even using this method, if it is necessary to add some IPs that report as “Malicious” to our monitoring area, we can somehow add them to the referral “sources”?</P> <P>For example, you get 3 super strange “Malicious” IPs reported to you.</P> <P><STRONG><EM>48.190.1.5</EM></STRONG><BR /><STRONG><EM>35.120.2.2</EM></STRONG><BR /><STRONG><EM>191.2.2.4</EM></STRONG></P> <P>(<STRONG>Just to give you an example</STRONG>), and you are already using the Network Feeds.<BR />Can these IPs be “tied” to this “Network Feeds” operation? Or would you have to manually create explicit rules to block these particular IPs?</P> Sat, 26 Apr 2025 00:22:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247392#M48320 Matlu 2025-04-26T00:22:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247393#M48321 <P>Thats right...though, you can search for any given IP when opening the links I posted, same way you can do ctrl+F to search for anything in text file of web page. Keep in mind, any net feed is updated automatically, so you dont have to do anything yourself.</P> <P>Andy</P> Sat, 26 Apr 2025 00:25:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247393#M48321 the_rock 2025-04-26T00:25:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247394#M48322 <P>Btw, even if you have any gateways on R80.xx, those can also do net feeds, but I definitely suggest they be on R81.20, if possible, to utilize all the available options.</P> <P>Andy</P> Sat, 26 Apr 2025 00:46:12 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247394#M48322 the_rock 2025-04-26T00:46:12Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247427#M48325 <P>Btw, figured would update you on this post as well...tested R82 vsx for network feeds, no issues.</P> <P>Andy</P> Sat, 26 Apr 2025 19:05:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247427#M48325 the_rock 2025-04-26T19:05:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247442#M48327 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/82839">@Matlu</a>&nbsp;If you need me to test anything else in the lab, please let me know.</P> <P>Andy</P> Sun, 27 Apr 2025 13:56:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247442#M48327 the_rock 2025-04-27T13:56:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247475#M48337 <P>Just a word of caution though...maybe dont add all of net feeds I provided at once, start with 2 or 3 and then give it couple of days and see how many hits you get, just to make sure there are not inadvertent effects.</P> <P>Andy</P> Mon, 28 Apr 2025 01:42:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247475#M48337 the_rock 2025-04-28T01:42:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247479#M48338 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1000071876.jpg" style="width: 719px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/30337i30AEF85F2B5A42CC/image-size/medium?v=v2&amp;px=400" role="button" title="1000071876.jpg" alt="1000071876.jpg" /></span></P> <P>From the list of .txt file options, which option do you recommend to use in my ‘Network Feeds’?</P> Mon, 28 Apr 2025 03:12:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247479#M48338 Matlu 2025-04-28T03:12:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247482#M48341 <P>Hey bro,</P> <P>Here is the thing. My best suggestion is if you are unsure, always test any IP you are concerned about in below link, its very accurate. We always use it to check those things. Besides, only way to really know is to apply the feed, block it in policy, and then observe and see.</P> <P>Andy</P> <P><A href="https://www.abuseipdb.com/" target="_blank">https://www.abuseipdb.com/</A></P> Mon, 28 Apr 2025 03:23:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247482#M48341 the_rock 2025-04-28T03:23:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247565#M48357 <P>Another helpful link I found.</P> <P>Andy</P> <P><A href="https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file" target="_blank">https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file</A></P> Tue, 29 Apr 2025 00:54:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Automated-IP-Blocking/m-p/247565#M48357 the_rock 2025-04-29T00:54:25Z