topic Re: Blocking IP using custom IOC feeds in Firewall and Security Management

Blocking IP using custom IOC feeds

Kumar_Sambhav — Mon, 19 Aug 2019 09:25:27 GMT

Hello All,

I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.

I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script.

Please let me know, if there is any work-around for this issue.

Re: Blocking IP using custom IOC feeds

PhoneBoy — Mon, 19 Aug 2019 18:23:46 GMT

What steps did you follow to achieve this?
I'll check on the script to see if we can fix the access permissions.

Re: Blocking IP using custom IOC feeds

Kumar_Sambhav — Tue, 20 Aug 2019 07:51:51 GMT

Thank you PhoneBoy for replying.

I followed : sk132193.

Below steps we did for configuration:

To add external feed: ioc_feeds add --feed_name blocklist --transport https --resource https://xxx.com --user_name admin_account

ioc_feeds show : Gives message that feed is active

file : $FWDIR/external_ioc/feed_name_folder/blocklist_https : Shows the IP address fetched from external feed in format: #UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

While checking sk103154, it says it is known issue with firewalls behind proxy.

PS: Firewall is standalone and behind proxy. Fw version is : R80.30 - Build 484

Re: Blocking IP using custom IOC feeds

PhoneBoy — Thu, 22 Aug 2019 05:01:53 GMT

The permission issue with the file in sk103154 should be fixed now.
ioc_feeds should support use with a proxy, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk132193

Re: Blocking IP using custom IOC feeds

Kumar_Sambhav — Thu, 22 Aug 2019 10:46:51 GMT

Hi PhoneBoy,

I was able to run script as per sk103154. However, still IP is not getting blocked.

I am trying to block a Private IP (as it is Lab environment). I am still able to ping, ssh firewall from that pvt. IP. Any insight?

PS: There is no error logs in :

$FWDIR/log/ioc_feeder.elg
$FWDIR/log/ext_ioc_push.elg

Thanks in advance.

Re: Blocking IP using custom IOC feeds

Kumar_Sambhav — Thu, 22 Aug 2019 13:27:41 GMT

Small Update:

I tried Blocking it from Smart Console also, by uploading the .csv file as Indicators and still IP is not getting blocked.

Is there any limitation like Private IP cannot be blocked (though it is coming from External interface)? I have created a rule on firewall to allow SSH, Ping and 443 from the Same IP (which i am looking to block through Anti-Bot blade)

Re: Blocking IP using custom IOC feeds

PhoneBoy — Thu, 22 Aug 2019 17:52:12 GMT

The mechanism that ioc_feeds uses is Anti-Bot and Anti-Virus.
This works for blocking outbound traffic to the specified IPs from internal networks.
It won't block traffic coming FROM those IPs, however.
For that, you can use the scripts in sk103154.

Re: Blocking IP using custom IOC feeds

Ryan_Ryan — Fri, 25 Oct 2019 05:45:32 GMT

Hi Phoneboy,

thanks for that info, because I had no idea IOC only worked for outbound traffic. Now I just tested it I realise you are right.

As we have IOC setup with both a IP and domain list, is there a way to use sk103154 with domains aswell? I would prefer not to have two separate systems for IP and domain, I want to block incoming and outgoing traffic to my IP list, and all outgoing traffic to my domain list. (R80.20)

thanks

Re: Blocking IP using custom IOC feeds

PhoneBoy — Fri, 25 Oct 2019 16:41:05 GMT

No, the scripts in sk103154 only work at the IP level.
With domains, we can really only block if we see the initial DNS query from the client and rewrite it with a non-malicious IP.
That is a function Antibot/Antivirus can provide.

Re: Blocking IP using custom IOC feeds

Ryan_Ryan — Fri, 25 Oct 2019 21:45:52 GMT

okay thank you.

The domain blocking function of IOC waas working well for us but now its stopped blocking the domains and IPs with this error in $FWDIR/log/ioc_feeder.elg:

Feed status ip_list :: engine memory allocation error
Feed status domain_list :: engine memory allocation error

Interesting I see the same error on two different clusters that use the same list, I cleared the list out to a single entry in each txt file and still same issue, however if I run "ioc_feeds push" it works successfully and that single entry starts blocking.

Also they should really make that clear on sk132193 thats its only outgoing traffic!

Re: Blocking IP using custom IOC feeds

PhoneBoy — Fri, 25 Oct 2019 23:09:10 GMT

Recommend opening a TAC case on the memory errors you're seeing.

Re: Blocking IP using custom IOC feeds

Tim_McColgan — Fri, 17 Jan 2020 04:10:12 GMT

Ryan, I'm working on IOCs nowadays as well and I am experiencing the engine memory allocation error that you had in the past. Wondering if you discovered a fix for it?

I am opening a TAC case tomorrow to tackle this.

Re: Blocking IP using custom IOC feeds

Ryan_Ryan — Fri, 17 Jan 2020 04:26:23 GMT

Hi, I think this should fix the memory allocation error:

fw ctl set int g_ci_av_sft_classification_buffer_size 16000

Re: Blocking IP using custom IOC feeds

Tim_McColgan — Fri, 17 Jan 2020 15:23:42 GMT

Thanks Ryan, I checked and we are already at 16000 as this looks to be the default for R80.30. Opening a TAC now.

Re: Blocking IP using custom IOC feeds

Borut — Mon, 10 Feb 2020 09:30:08 GMT

Is the feed source using self-signed certificate? We're having the same exact issue. The feed is retrieved without problems when added, but fails on the next scheduled IOC pull with memory allocation error.

We've had a SR opened until november, did some debugs and now waiting for CP to investigate the issue. I'll update this thread if we come to the solution.

Re: Blocking IP using custom IOC feeds

Borut — Fri, 06 Mar 2020 11:39:52 GMT

As promised. Support figured out what the problem was.

The feed resides on an internal server with a certificate from our internal CA, which is not trusted by default. They added all the certificates in the certificate path to ca_bundle.pem. After that it started working without errors.

You can see if you have cert errors by running $FWDIR/bin/ioc_feeder -d -f and checking $FWDIR/log/ioc_feeder.elg. We had certificate errors like this [ERROR] curl_easy_perform() failed: Peer certificate cannot be authenticated with given CA certificates.

We also tried adding the certificates via https policy to Trusted CA's but found out, that the policy install does not add them to ca_bundle.pem. R&D is still investigationg that.

I can go into more detail on how to add the certificates if anyone needs.

I would expect that the process of adding the server public keys to the bundle would be automatic. Maybe in future versions 🙂

Re: Blocking IP using custom IOC feeds

PhoneBoy — Fri, 06 Mar 2020 15:51:13 GMT

The certificate store used for HTTPS Inspection and the ioc_feeds CLI could also be different 🤔

Re: Blocking IP using custom IOC feeds

TP_Master — Sun, 08 Mar 2020 09:30:45 GMT

It actually is a different certificate store

Re: Blocking IP using custom IOC feeds

Neville_Kuo — Sun, 12 Apr 2020 04:13:39 GMT

Same thing happened in my lab:

[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed status blacklist-ssl :: engine memory allocation error
[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed log External IOC - External Indicators processing failed
blacklist-ssl: Failed to fetch feed. Resource: https://x.x.x.x/black_list/ip.txt, Reason: Peer certificate cannot be authenticated with given CA certificates

But http works well.

Re: Blocking IP using custom IOC feeds

Neville_Kuo — Mon, 13 Apr 2020 13:00:48 GMT

Dear all,

For those are using Custom Intelligence Feeds function with self-signed https server, you should use the following command:

export EXT_IOC_NO_SSL_VALIDATION=1

Then start your https ioc feeds, I just fixed this problem, according to sk132193:

Feed's resource can be:

URL - HTTP/HTTPS (--transport http --resource "http://10.0.0.1/my_feeds/stix_feed.xml")
*Self-signed certificate HTTPS resource will propmt for user agreement to update the bundle. It is possible to skip the certificate verification by running "export EXT_IOC_NO_SSL_VALIDATION=1" on the gateway.