topic Re: R80.20 - IP blacklist in SecureXL in General Topics

R80.20 - IP blacklist in SecureXL

HeikoAnkenbrand — Wed, 20 Mar 2019 20:19:13 GMT

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

# fwaccel dos blacklist -a 1.2.3.4

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

# fwaccel dos blacklist -d 1.2.3.4

Very nice new function in R80.20!

Furthermore there are also the Penalty Box whitelist in SecureXL.

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks.

Re: R80.20 - IP blacklist in SecureXL

_Val_ — Mon, 01 Oct 2018 14:51:48 GMT

You need to use this function with LOTS of care, as it is even less visible that SAM rules...

Re: R80.20 - IP blacklist in SecureXL

HeikoAnkenbrand — Mon, 01 Oct 2018 15:12:18 GMT

Bug or feature?

It is also possible to enter networks. In the handbook there is unfortunately only the IP Address in it and not the network.

It is also suggested that the network is be created. But it will unfortunately not be displayed afterwards.

Regards,

Heiko

Re: R80.20 - IP blacklist in SecureXL

JozkoMrkvicka — Mon, 01 Oct 2018 17:00:18 GMT

Re: R80.20 - IP blacklist in SecureXL

Iain_King — Tue, 02 Oct 2018 00:09:25 GMT

How is this different to SAM?

Re: R80.20 - IP blacklist in SecureXL

PhoneBoy — Tue, 02 Oct 2018 00:24:42 GMT

The blacklist/whitelist is only IP level (either SecureXL drop this IP always or never subject this IP to the Penalty Box).

fw sam and fw samp allow configuring more granular rules.

Re: R80.20 - IP blacklist in SecureXL

HeikoAnkenbrand — Tue, 02 Oct 2018 07:06:54 GMT

I agree with Dameon here. Here is a link to sam penalty box sk that has been around for quite a while:

What is the SecureXL penalty box mechanism for offending IP addresses?

I think the new command is very good for effectively blocking individual IP addresses. For example a DoS attack from a few IP addresses or similar opportunities.

And I also agree with Valeri, the function is to be used with care. Many users will not know it yet and it is also not very transparent visible.

Re: R80.20 - IP blacklist in SecureXL

HeikoAnkenbrand — Tue, 02 Oct 2018 07:17:46 GMT

I also find it interesting that it still works when I disable SecureXL in R80.20. I wouldn't have expected that at this point.

Re: R80.20 - IP blacklist in SecureXL

JozkoMrkvicka — Tue, 02 Oct 2018 09:22:28 GMT

In real life, if you are facing DDoS attack (or broadcast storm), you are not able to log into system anyway (lagging, freezing, not able to execute any single command). Happened to me 2 times. The only solution was to find a root cause and cut that machine. So from logical point of view the better solution would be to move this feature into SmartConsole (some hidden place ) and push the command via SIC with triple confirmation alerts.

Re: R80.20 - IP blacklist in SecureXL

HeikoAnkenbrand — Tue, 02 Oct 2018 09:53:55 GMT

I think that's gonna be a fundamental discussion. From my point of view, DDoS attacks should be blocked at the provider. You can discuss it for a long time.

If I can't get login to the system during an attack, of course I can't do much.

Everything should be configured on the firewall first. Then I don't have the problems later.

I like the option to block IP's on SecureXL level. It is simple and effective.

I think the following function "Accelerated SYN Defender" is the better choice for DoS attacks (SYN Flood attack) on Check Point gateways with enabled SecureXL.

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

You can find more in the manual under:

"fwaccel synatk"

Regards,

Heiko

Re: R80.20 - IP blacklist in SecureXL

Support_Team_Pi — Thu, 04 Oct 2018 19:23:30 GMT

HI Guys,

I always use the following commands to drop ips, subnets, ports and a list of known IPs. See sk67861.

Command	Description
`sim dropcfg`	Configures drop parameters (run '`sim dropcfg`')
`sim dropcfg -h`	Prints the help message with available options for '`dropcfg`' parameter
`sim dropcfg -l`	Prints current drop configuration
`sim dropcfg -f </path_to/file_name>`	Sets drop configuration file
`sim dropcfg -e`	Enforces drop configuration on the external interface only
`sim dropcfg -y`	Avoids confirmation
`sim dropcfg -r`	Resets drop rules

Re: R80.20 - IP blacklist in SecureXL

Sergei_Shir — Sun, 28 Oct 2018 12:40:28 GMT

1) The sim dropcfg command is not available in R80.20

2) Refer to the R80.20 Performance Tuning Administration Guide to see all relevant commands.

Re: R80.20 - IP blacklist in SecureXL

GHaider — Wed, 22 May 2019 18:58:29 GMT

just wanted to note that the blacklist with IPs added to the blacklist with

fwaccel dos blacklist -a 1.2.3.4

do not survive a reboot

Re: R80.20 - IP blacklist in SecureXL

Blason_R — Sun, 26 May 2019 17:46:06 GMT

This is fantastic feature and thanks for sharing.

BTW is there any limitation for number of IP addresses inr fwaccel dos blacklist chain?

Re: R80.20 - IP blacklist in SecureXL

Timothy_Hall — Wed, 19 Jun 2019 01:05:04 GMT

Heiko, blacklists continue to work after SecureXL is disabled in R80.20+ because of the same behavior in the SK below with drop templates, basically all packets associated with a new connection (no connections table match) are always sent to the firewall workers first for handing.

sk150812: High CPU when traffic is dropped by fw_workers

Re: R80.20 - IP blacklist in SecureXL

Vladimir — Wed, 19 Jun 2019 01:13:49 GMT

@_Val_ , speaking of SAM rules, they are visible in SmartView Monitor, as I am pretty sure you know, and I think it would be a grand idea of including the blacklist and whitelist entries in there as well, possibly in the form of the rules.

Would logging the events associated with whitelisted and blacklisted IPs with, perhaps, heavily suppressed logs be possible?

Are there OS syslog events associated with these actions?

Re: R80.20 - IP blacklist in SecureXL

_Val_ — Wed, 19 Jun 2019 10:04:06 GMT

@Vladimir Are you referring to SmartViewMonitor legacy GUI client? If so, I would be very surprised if any inclusions are event possible with R80 family

Re: R80.20 - IP blacklist in SecureXL

Vladimir — Wed, 19 Jun 2019 21:03:56 GMT

@_Val_ , whyever not? This is still the UI for the Monitoring blade in R80.30.

Re: R80.20 - IP blacklist in SecureXL

_Val_ — Thu, 20 Jun 2019 07:03:26 GMT

@Vladimir

Once again, I am asking which specific UI you are referring to, one of SmartConsole tabs or to SmartViewMonitor. When you answer, I can explain 🙂

Re: R80.20 - IP blacklist in SecureXL

Vladimir — Thu, 20 Jun 2019 14:00:12 GMT

I am talking about SAR portion of the SmartViewMonitor:

I do not see the SAR in the Device and License Information of the SmartConsole: