topic Re: Custom Threat Indicator Not Blocking Malicious IP in General Topics

Custom Threat Indicator Not Blocking Malicious IP

Digo11 — Mon, 29 May 2023 05:31:14 GMT

Hi Everyone.

I wanted to know if the custom threat indicators only apply to outgoing traffic and not incoming. I have a scenario where an IP listed in the custom indicator is not getting blocked.

Do I need to run/install the IP Block Feature script to block the connections originating from malicious IP sources? The other way I could see is to configure a generic data center object and call the malicious IP database URL.

Checkpoint 5800

ClutserXL Active-Passive

R80.40

Perimeter Firewall

Thanks!

Digo.

Re: Custom Threat Indicator Not Blocking Malicious IP

Ruan_Kotze — Mon, 29 May 2023 05:49:32 GMT

Hi Digo,

If I recall inbound blocking is only available from R81 onwards - prior to that it was outbound only. GDC should accomplish what you need, yes.

-Ruan

Re: Custom Threat Indicator Not Blocking Malicious IP

Digo11 — Mon, 29 May 2023 06:44:56 GMT

Hi Ruan,

Is there any SK or document for this?

Thanks,

Digo.

Re: Custom Threat Indicator Not Blocking Malicious IP

Blason_R — Mon, 29 May 2023 06:55:41 GMT

Hello,

Please use fwaccel dos deny -a or -l feature and you should be able to block the desired IP addresses.

Re: Custom Threat Indicator Not Blocking Malicious IP

Digo11 — Mon, 29 May 2023 07:08:15 GMT

Hi @Blason_R

Thanks for your response. So, the custom indicator won't block incoming traffic? We get malicious IP lists from our partners and till now we assumed the indicator blocks both-way traffic. I couldn't find any relevant document or SK, where it is mentioned that the custom indicator only blocks only outgoing traffic apart from "Inbound traffic to a host behind the gateway, does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked" in SK 132193.

Thanks.

Digo.

Re: Custom Threat Indicator Not Blocking Malicious IP

Blason_R — Mon, 29 May 2023 08:11:29 GMT

Well fwaccel dos deny will be able to block the traffic inbound however consider if the traffic is initiated outbound however if the return traffic arrives this is again an inbound and it will be cut on firewall. So eventually my observation is fwaccel dos deny is effective on blocking inbound and as well as outbound. Yes Inbound it will be knocked off on first SYN packets however outbound it will be killed on Ack packet.

Re: Custom Threat Indicator Not Blocking Malicious IP

Ruan_Kotze — Mon, 29 May 2023 08:36:49 GMT

Hi Digo,

It's listed in the "Known Limitations" in sk132193

Edit: I see you did already come across this

Re: Custom Threat Indicator Not Blocking Malicious IP

the_rock — Mon, 29 May 2023 12:19:33 GMT

You can create generic data center objects as per SK indicated and use those to block most known bad IP addresses. I can send you the file I use for that if you like.

Andy

Re: Custom Threat Indicator Not Blocking Malicious IP

PhoneBoy — Mon, 29 May 2023 15:30:23 GMT

Custom Threat Indicators only block incoming traffic from R81.
However, if the traffic originates from outside, the reply traffic will be blocked by the Custom Threat Indicator.

Note if you have a significant number of indicators, you should upgrade to R81.20 as it supports significantly more indicators than previous versions.

Re: Custom Threat Indicator Not Blocking Malicious IP

PhoneBoy — Mon, 29 May 2023 15:32:21 GMT

Generic Datacenter objects are only available from R81 and the original poster is in R80.40.
Upgrading is highly recommended since R80.40 will be End of Life at the end of January 2024.

Re: Custom Threat Indicator Not Blocking Malicious IP

Digo11 — Tue, 30 May 2023 05:09:29 GMT

Thanks, @Blason_R I will try it.

Re: Custom Threat Indicator Not Blocking Malicious IP

Digo11 — Tue, 30 May 2023 05:15:01 GMT

Hi @PhoneBoy

Thanks for the info. I can see one of the IPs listed in the custom indicator hits on port SMTP port 25 to one of our public mail IPs and the traffic is accepted. Somehow, the log shows as an alert but still accepts the connection.

Thanks,

Digo.

Re: Custom Threat Indicator Not Blocking Malicious IP

PhoneBoy — Tue, 30 May 2023 16:30:26 GMT

The question is: is there traffic flowing to it beyond that initial packet?
In any case, upgrading from R80.40 is highly recommended.

Re: Custom Threat Indicator Not Blocking Malicious IP

CheckPointerXL — Fri, 23 Jun 2023 08:24:33 GMT

Hello Blason, just a quick question

Indicators by definition it helps AntiVirus and AntiBot blades, but like we know, list of ips are populated inside fwaccel dos deny lists.

Well, these lists are enforced before Access Control and Threat Prevention policies.... if this is true, the statement about antivirus and antibot is not true...am i wrong? thanks

Re: Custom Threat Indicator Not Blocking Malicious IP

PhoneBoy — Fri, 23 Jun 2023 15:09:44 GMT

fwaccel dos rules are enforced in SecureXL and occur even before Implied Rules are allowed 🙂
Indicator lists imported via ioc_feeds are enforced as part of Threat Prevention.

Re: Custom Threat Indicator Not Blocking Malicious IP

CheckPointerXL — Fri, 23 Jun 2023 15:27:15 GMT

That's correct... but, if you add an Indicator you will see the the deny list value, obtained by the command fwaccel dos stats get, that increases, curiosly the same number of IPs contained in the imported Indicator list....

Re: Custom Threat Indicator Not Blocking Malicious IP

PhoneBoy — Fri, 23 Jun 2023 18:54:44 GMT

Which would also indicate that SecureXL is blocking the IPs imported via ioc_feeds.
Makes sense to do that from a performance perspective.