topic Re: list of different IP addresses to be blocked in Firewall and Security Management

list of different IP addresses to be blocked

Dirk_Casomo — Thu, 18 Jan 2018 08:54:53 GMT

hi,

i have 2000 plus list of IP addresses, how can i block them all bi directional blocking in my checkpoint firewall without typing all those individually?

Re: list of different IP addresses to be blocked

Danny — Thu, 18 Jan 2018 11:00:20 GMT

Method 1

How to block traffic coming from known malicious IP addresses

Method 2

The SmartConsole CLI can be directly accessed from within SmartConsole by clicking the icon on the bottom left corner.

SmartConsole -> Management CLI:

Just add the required syntax to your IP addresses to create host objects and one host group for them. Copy & Paste this to your SmartConsole CLI in order to have a group containing all block IPs created. Then create a rule that blocks all access to this group. Done.

Method 3

fw samp is your friend.

Method 4

sim dropcfg is your friend.

Re: list of different IP addresses to be blocked

Kaspars_Zibarts — Thu, 18 Jan 2018 12:57:22 GMT

Great summary Danny!

Re: list of different IP addresses to be blocked

Tomer_Sole — Thu, 18 Jan 2018 14:47:56 GMT

This is awesome.

Re: list of different IP addresses to be blocked

PhoneBoy — Thu, 18 Jan 2018 14:58:37 GMT

It would have been better had this question not been posted a few times in unrelated threads.

However I will also add to what Danny Jung‌ has said that if you're not using R80+ management, you can create objects by CLI using dbedit: Using a dbedit script to create new network objects and network object groups

You would create the relevant network objects, add them to a group, and use that group in the rulebase with a "drop" rule.

Re: list of different IP addresses to be blocked

Dirk_Casomo — Fri, 19 Jan 2018 01:39:36 GMT

but that one is around 2000 plus IP addresses, is there a way for me not to

manually key in all those IP addresses? may using notepad or csv file?

Re: list of different IP addresses to be blocked

PhoneBoy — Fri, 19 Jan 2018 02:33:34 GMT

Using the above methods, you can write a script to read from whatever file you have the IP addresses into.

You could also use some of the scripts that are already present on CheckMates to help you with this.

This is just one example: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.25.01 and later)‌

Re: list of different IP addresses to be blocked

Dirk_Casomo — Fri, 19 Jan 2018 03:04:12 GMT

Hi,

thank you!

lets say i already put all the 2000 plus ip addresses in a csv file, then i

type this command "cli_api_import_objects_from_csv.sh" i have a question,

where i must save my csv file in my local drive for the fw to ask me the

location of the file to be imported? and also smart console i just fire up

the CLI then type the command cli_api...?

please enlighten me

On Fri, Jan 19, 2018 at 10:34 AM, Dameon Welch Abernathy <

Re: list of different IP addresses to be blocked

PhoneBoy — Fri, 21 Jun 2019 09:12:09 GMT

Where the file should be saved for this particular script is described in the lengthy post with that script, please read it carefully.

It's meant for bulk import/export of a lot of objects, so may not be the best tool for your job.

Another possible option: R80 PowerShell Module

But a simpler option is to just call the CLI directly and import the CSV.

This process isn't nearly as well documented as I thought it would be, but we're about to fix that

First of all, the CSV file should be in the correct format.

The first row refers to parameters you would pass the add host command as documented here: Check Point - Management API reference for add host

The minimum parameters needed are name and ip-address.

Since you want to put them in a group, might as well do that as they are created.

For this example, the objects will be added to a group called BlockGroup:

name,ip-address,groups.1
host1,192.0.2.1,BlockGroup
host2,192.0.2.2,BlockGroup
host3,192.0.2.3,BlockGroup

If the group doesn't already exist, you can use the following CLI command on the management server to create it first: mgmt_cli -r true add group name BlockGroup

To then import the CSV file, use the following command on the management server, which reads the file from the current directory: mgmt_cli -r true add host --batch import.csv

Note: You will probably need to break up the CSV file into smaller chunks (no more than 500 items per file).

Otherwise you may experience issues as described here: https://community.checkpoint.com/message/6809-re-creating-multiple-object-via-csv

Re: list of different IP addresses to be blocked

Christopher_Ta1 — Fri, 19 Jan 2018 07:38:20 GMT

So every ip address will be host/object? therefore, 2000 host?

Is there any easiest way wherein we just put those list of IP addresses then automatically blocked. And if there is a false-positive, we can also easily removed that IP address in the list.

Thanks

Re: list of different IP addresses to be blocked

Bruno_LABOUR — Fri, 19 Jan 2018 07:56:16 GMT

Hello Christopher,

With this method, there will indeed be 2000 host objects created and added to a group used in directionnal blocking rule. If you do not want to create objects, you may have a look at SAM rules (here: How to create and view Suspicious Activity Monitoring (SAM) Rules).

SAM rules does not need to create an object, you can add the IP addresses directly in the blocking rules, monitore them, and remove them.

However, SAM rules are CPU intensive. So you better use a traditionnal security policy rule and a group of hosts object. Sam rules should only be used in emergency conditions (as they do not need a policy installation to be added or removed), and IP block should be move to your security policy rule as fast as you confirm there is no false positive.

I hope this helps,

Regards.

Re: list of different IP addresses to be blocked

Dirk_Casomo — Fri, 19 Jan 2018 08:39:37 GMT

is there a way not to manually typing all those 2000 plus different IP

addresses to be part of the host object?

On Fri, Jan 19, 2018 at 3:56 PM, Bruno LABOUR <donotreply@checkpoint.com>

Re: list of different IP addresses to be blocked

Christopher_Ta1 — Fri, 19 Jan 2018 08:51:09 GMT

Thanks Bruno

Re: list of different IP addresses to be blocked

Kaspars_Zibarts — Fri, 19 Jan 2018 09:39:08 GMT

Excellent point about CPU implications Bruno. Very important for large and/or heavily loaded environments when every CPU % counts. Maybe https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd‌ could update original article with CPU impact for each of the options. Just for clarity

Re: list of different IP addresses to be blocked

Eric_Beasley — Fri, 21 Jun 2019 09:12:12 GMT

I saw this alternative solution to list based block : https://community.checkpoint.com/docs/DOC-2002

It may provide an additional resource for learning how to approach this problem.

Re: list of different IP addresses to be blocked

PhoneBoy — Fri, 19 Jan 2018 16:13:16 GMT

You should probably use fw samp instead, which is SecureXL friendly (SAM rules are not).

And to Dirk Casomo‌'s question, you would write a script that reads your file of IPs, executing the necessary commands.

Or use the scripts in the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog

Re: list of different IP addresses to be blocked

Bruno_LABOUR — Fri, 19 Jan 2018 16:16:45 GMT

For SAM rules? The KB shows there is a cli comand "fw sam_policy" that you could use with a script to parse your inject everything. However, i would not recommand you to use SAM to block 2000 IP addresses when you can easily do it also with either mgmt_api or dbedit scripts depending on the version you are running.

All the given solution are script-capable or bulk by nature, so i do not catch you very well.

Re: list of different IP addresses to be blocked

Dirk_Casomo — Sun, 21 Jan 2018 15:38:20 GMT

@Dameon Welch Abernathy

example i type the command in the fw console , mgmt_cli -r true add host --batch import.csv do i still need to put the path of the csv file which is on my desktop?

Re: list of different IP addresses to be blocked

PhoneBoy — Sun, 21 Jan 2018 16:17:24 GMT

The command is executed on the management station, not the firewall.

The CSV file would need to be uploaded to the management station (with scp or similar).

If you do not run the command from the same directory that contains import.csv, you will have to enter the path to it.

Re: list of different IP addresses to be blocked

Dirk_Casomo — Mon, 22 Jan 2018 01:29:56 GMT

if i have a standalone setup using 1 firewall, you mean my pc has installed

the smartdashboard on it, then the CSV is on the desktop save. is ok

already, then ill jus include the file path?

On Mon, Jan 22, 2018 at 12:18 AM, Dameon Welch Abernathy <