topic Re: DShield through fw samp batch script in API / CLI Discussion

DShield through fw samp batch script

Alex_Weldon — Wed, 04 May 2016 16:56:49 GMT

Cross post from CPUG it was suggested I post this up here for a wider audience.

Hi all, I wanted to post this up in case anyone wanted to give it a go. It is a modification of the IP-blacklist.sh script from sk103154 but it takes advantage of the DShield block list without using the dynamic object. If you follow the sk for permissions and want to install in a lab environment let me know how it goes. Or if you see a glaring issue with my awk

dshield-blocklist.sh:

#!/bin/bash

url="http://feeds.dshield.org/block.txt"

function convert {

while read line; do

awk '/[^0-9]/ { printf "add -a d -l r -t 3600 -c dshield_blocklist quota service any source range:%s/%s pkt-rate 0\n",$1,$3 }'

done

echo "add -t 2 quota flush true"

}

curl_cli -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch

dshield.sh:

#!/bin/bash

op="$1"

is_fw_module=$($CPDIR/bin/cpprod_util FwIsFirewallModule)

function remove_existing_sam_rules {

fw samp get | awk '/comment=dshield_blocklist/{sub("uid=","",$2);print "del "$2}' | fw samp batch 1>/dev/null 2>&1

fw samp add -t 2 quota flush true 1>/dev/null 2>&1

}

# Run only on GAIA gateways

if [[ "$is_fw_module" -eq 1 && -f /etc/appliance_config.xml ]]; then

echo "$(date): Starting" >> $FWDIR/log/custom_dshield.log

case "$op" in

on)

$CPDIR/bin/cpd_sched_config add dshield -c "$CPDIR/bin/dshield-blocklist.sh" -e 3600 -r -s

echo "dshield: Known malicious IP blocking mechanism is ON"

;;

off)

$CPDIR/bin/cpd_sched_config delete dshield -r

remove_existing_sam_rules

echo "dshield: Known malicious IP blocking mechanism is OFF"

;;

stat)

cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/dshield/{flag=1}/Active: true/{if(flag)res="ON"}END{print "dshield: Known malicious IP blocking mechanism status is "res}'

;;

echo 'Usage:'

echo ' dshield.sh <option>'

echo 'Option:'

echo ' on: blocks malicious IPs'

echo ' off: stops malicious IPs blocking'

echo ' stat: prints the status of malicious IP blocking'

esac

else

echo "dshield: This utility is supported on GAIA Security Gateway only"

**USE AT YOUR OWN RISK!!**

Also, check out https://cpdbl.net/ for a better solution!

Re: DShield through fw samp batch script

Timothy_Hall — Thu, 05 May 2016 03:49:55 GMT

The great thing about this script using the "fw samp" mechanism to block the blacklisted IP addresses is that it all takes place inside SecureXL and has zero impact on whether traffic can be accelerated/templated by SecureXL. The original dshield.org implementation via IPS signature made almost all traffic crossing the firewall ineligible for acceleration by SecureXL.

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Re: DShield through fw samp batch script

Nir_Naaman — Thu, 16 Jun 2016 07:27:05 GMT

Hi all,

The "fw samp" Rate Limitation for DDOS Protection is indeed the recommended mechanism for scalable, high-performance blocking and rate limitation. There are several ongoing development efforts to wrap this mechanism with usable management interfaces.

We have recently added an IP reputation facility in the Private ThreatCloud product, leveraging "fw samp". This functionality allows customers to manage hundreds of thousands of categorized IP address ranges, and to automate distribution of these feeds to all gateways that are configured to use the private cloud. The solution can support aggregation of multiple private and public intelligence feeds such as the SANS block list, TOR exit points, etc.

Please see SK110394 - Check Point Private ThreatCloud for more information on this product.

Re: DShield through fw samp batch script

Timothy_Hall — Fri, 17 Jun 2016 15:43:25 GMT

Very happy to hear that the fw samp function is being further enhanced to make it easier to use. As I mentioned in my book this is one heck of an underrated feature.

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Re: DShield through fw samp batch script

Alex_Weldon — Thu, 23 Jun 2016 16:32:00 GMT

Any ETA on when this functionality will be released to those who do not have a need/will not be purchasing the private threat cloud?

Re: DShield through fw samp batch script

Nir_Naaman — Fri, 24 Jun 2016 06:50:08 GMT

You don’t need the Private ThreatCloud to do this, the Private ThreatCloud simply provides a management interface and solves some other issues. We have many customers using SK103154-derived solutions.

Then again, everybody needs a Private ThreatCloud.

Nir

Re: DShield through fw samp batch script

MartinZ — Thu, 11 Aug 2016 12:03:52 GMT

Nir,

Thanks for adding to this and the additional information. However, I've been asking for some five years now to have a native option in any of the numerous protecting pieces to block tor exit nods from outside -> in traffic. I know content filtering can handle Inside-out but I want to be able to simply block tor exit nodes from reaching anything behind the firewall. ie: https://check.torproject.org/exit-addresses

While using SK103154 we could build such, doesn't CP think this would make a very easy to update (ThreatCloud) feed for a standard option selection in native Checkpoint protection? If there is such an option and I'm missing it - I would love to know that by the way.

Re: DShield through fw samp batch script

Renjith_M_P — Fri, 10 Nov 2017 05:01:06 GMT

https://community.checkpoint.com/people/alexa2f878495-07e0-48b1-99f4-0c0740ddee67‌

Hi All,

In my environment i am using Windows base Management (GAIA R77.30) , do i have any option to implement this.

Re: DShield through fw samp batch script

PhoneBoy — Fri, 10 Nov 2017 23:09:02 GMT

This script runs on the gateway not management.

That said you should really look at moving your management off Windows as R77.30 is the last version to support Windows.

Re: DShield through fw samp batch script

Renjith_M_P — Wed, 15 Nov 2017 04:53:19 GMT

Thanks for your response,i am seeking a solution for my issue. let me elaborate my exact requirement.

I have a list of malicious IP downloaded from Cisco and multiple source (more than 10k), my gateway doesn't have accesses to internet. instead of listing blocked IP in custom feed, do we have any provision to read from a text file available locally. if i am blocking 10K IP's will degrade firewall performance?

Re: DShield through fw samp batch script

PhoneBoy — Wed, 15 Nov 2017 05:26:39 GMT

I'm curious, if your gateway doesn't have Internet access, why would you need to block on the order of 10k IP addresses?

In any case, yes, there are scripts you can execute that will block a list of IPs using a feed you can specify.

While the examples are from our ThreatCloud, you could probably make a version of that file that resides on something your gateway can access.

See: How to block traffic coming from known malicious IP addresses

If you can't do that, you can write a script that iterates through your local list using the "fw samp" command to add block IPs.

See: How to configure Rate Limiting rules for DoS Mitigation