topic Re: Anti-Bot IP Reputation in Firewall and Security Management

Anti-Bot IP Reputation

Jarvis_Lin — Wed, 17 Aug 2022 14:53:51 GMT

Hi Everybody,

Anti-bot Protection contains IP, URLs, Domain reputation list.

I can generate URLs and DNS reputation logs easily, but cannot generate IPs reputation logs without using indicator files/external IOC feed.

How can I generate IPs reputation logs without using indicator files/ external IOC feed. Is it possible to do ?

Re: Anti-Bot IP Reputation

Chris_Atkinson — Wed, 17 Aug 2022 14:57:18 GMT

For background what are you trying to achieve, are you trying to confirm a protection works as expected or do you need the log record as a template?

Re: Anti-Bot IP Reputation

Jarvis_Lin — Wed, 17 Aug 2022 15:31:43 GMT

Hi Chris,

I access "http(s)://131.188.40.189" , the traffic can be block by Anti-bot (URL Reputation). but ping 131.188.40.189 or telnet 131.188.40.189 25, the traffic goes through.

Can I generate IPs reputation logs on production? I try several times but not luck.

What kind of tests can trigger IPs reputation logs?
Is it possible to create IPs reputation log record via Threatwiki page for demo?

Re: Anti-Bot IP Reputation

ClonyShen — Wed, 17 Aug 2022 15:46:42 GMT

HI Chris

in this example. according to "https://urlcat.checkpoint.com/urlcat/main.htm".

if i enter the ip "131.188.40.189", it will be shown URL Reputation not IP Reputation.

The Anti-bot Protection name (Reputation IP/Reputation URLs / Reputation Domain) confuses me.

As far as I know

1. Reputation IP => xxx.xxx.xxx.xxx

2. Reputation URLs => www.bot.com/xxx.exe

3. Reputation Domain => www.bot.com

For this case, if we want to show log of "Reputation IP" in the Logs and Monitoring, would it be possible?

Re: Anti-Bot IP Reputation

Chris_Atkinson — Sat, 28 Jan 2023 23:24:34 GMT

For context:

What confidence level is the profile/blade set to enforce?

Also are the protections correctly reporting up to date in the necessary areas/domain per sk171644.

Re: Anti-Bot IP Reputation

Jarvis_Lin — Thu, 18 Aug 2022 13:24:51 GMT

My setting as below

Re: Anti-Bot IP Reputation

PhoneBoy — Thu, 18 Aug 2022 20:33:34 GMT

Are you trying to find a known IP that will trigger the Reputation IP protection?
In any case, the focus of Anti-Bot is DNS, SMTP, and HTTP(S), as noted here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk92264

Best practice is to limit outbound Internet connectivity to the precise services needed.
Meanwhile you might try a DNS lookup to the IP (assuming the lookup goes through the gateway) or initiate an SMTP connection to it.

Re: Anti-Bot IP Reputation

Jarvis_Lin — Thu, 15 Sep 2022 10:00:08 GMT

Hi PhoneBoy,

We have a lots of "Reputation IPs" for Anti-Bot Protection show as below, but never see "IP reputation" type on log.

Is it possible to generate "IPs reputation logs" without using indicator files/ external IOC feed?

Re: Anti-Bot IP Reputation

PhoneBoy — Thu, 15 Sep 2022 15:45:40 GMT

Not as far as I know because of how the decision to block is made (IP Reputation being just one factor).

When you use an external indicator feed and block based purely on that, we can make the clear statement in the logs that it's an "IP Reputation" reason.

Re: Anti-Bot IP Reputation

Chris_Atkinson — Sat, 28 Jan 2023 23:26:55 GMT

Was this screenshot from demo mode or elsewhere the protections look out of date by 6-months at the time of posting (refer: sk171644)?

Re: Anti-Bot IP Reputation

yanivatia — Thu, 19 Oct 2023 11:31:52 GMT

same issue:

https://youtu.be/djhQncknDH0

Re: Anti-Bot IP Reputation

Chris_Atkinson — Thu, 19 Oct 2023 12:53:59 GMT

This thread is about Gateway protections

Whereas your video is Endpoint or must I keep watching to a particular timestamp?

If for Endpoint I suggest starting a new thread.

Re: Anti-Bot IP Reputation

yanivatia — Thu, 19 Oct 2023 13:20:45 GMT

you rught mine for endpoint