Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nickel

DShield through fw samp batch script

Cross post from CPUG it was suggested I post this up here for a wider audience.

Hi all, I wanted to post this up in case anyone wanted to give it a go. It is a modification of the IP-blacklist.sh script from sk103154 but it takes advantage of the DShield block list without using the dynamic object. If you follow the sk for permissions and want to install in a lab environment let me know how it goes. Or if you see a glaring issue with my awk Smiley Happy

dshield-blocklist.sh:

#!/bin/bash

url="http://feeds.dshield.org/block.txt"

function convert {

while read line; do

awk '/[^0-9]/ { printf "add -a d -l r -t 3600 -c dshield_blocklist quota service any source range:%s/%s pkt-rate 0\n",$1,$3 }'

done

echo "add -t 2 quota flush true"

}

curl_cli -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch

dshield.sh:

#!/bin/bash

op="$1"

is_fw_module=$($CPDIR/bin/cpprod_util FwIsFirewallModule)

function remove_existing_sam_rules {

fw samp get | awk '/comment=dshield_blocklist/{sub("uid=","",$2);print "del "$2}' | fw samp batch 1>/dev/null 2>&1

fw samp add -t 2 quota flush true 1>/dev/null 2>&1

}

# Run only on GAIA gateways

if [[ "$is_fw_module" -eq 1 && -f /etc/appliance_config.xml ]]; then

echo "$(date): Starting" >> $FWDIR/log/custom_dshield.log

case "$op" in

on)

$CPDIR/bin/cpd_sched_config add dshield -c "$CPDIR/bin/dshield-blocklist.sh" -e 3600 -r -s

echo "dshield: Known malicious IP blocking mechanism is ON"

;;

off)

$CPDIR/bin/cpd_sched_config delete dshield -r

remove_existing_sam_rules

echo "dshield: Known malicious IP blocking mechanism is OFF"

;;

stat)

cpd_sched_config print | awk 'BEGIN{res="OFF"}/Task/{flag=0}/dshield/{flag=1}/Active: true/{if(flag)res="ON"}END{print "dshield: Known malicious IP blocking mechanism status is "res}'

;;

*)

echo 'Usage:'

echo ' dshield.sh <option>'

echo 'Option:'

echo ' on: blocks malicious IPs'

echo ' off: stops malicious IPs blocking'

echo ' stat: prints the status of malicious IP blocking'

esac

else

echo "dshield: This utility is supported on GAIA Security Gateway only"

fi

**USE AT YOUR OWN RISK!!**

Also, check out https://cpdbl.net/ for a better solution!

Labels (1)
10 Replies
Highlighted

The great thing about this script using the "fw samp" mechanism to block the blacklisted IP addresses is that it all takes place inside SecureXL and has zero impact on whether traffic can be accelerated/templated by SecureXL.  The original dshield.org implementation via IPS signature made almost all traffic crossing the firewall ineligible for acceleration by SecureXL.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Employee+
Employee+

Hi all,

The "fw samp" Rate Limitation for DDOS Protection is indeed the recommended mechanism for scalable, high-performance blocking and rate limitation. There are several ongoing development efforts to wrap this mechanism with usable management interfaces.

We have recently added an IP reputation facility in the Private ThreatCloud product, leveraging "fw samp". This functionality allows customers to manage hundreds of thousands of categorized IP address ranges, and to automate distribution of these feeds to all gateways that are configured to use the private cloud. The solution can support aggregation of multiple private and public intelligence feeds such as the SANS block list, TOR exit points, etc.

Please see SK110394 - Check Point Private ThreatCloud for more information on this product.

Highlighted

Very happy to hear that the fw samp function is being further enhanced to make it easier to use.  As I mentioned in my book this is one heck of an underrated feature.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos
Highlighted
Nickel

Any ETA on when this functionality will be released to those who do not have a need/will not be purchasing the private threat cloud?

0 Kudos
Highlighted
Employee+
Employee+

You don’t need the Private ThreatCloud to do this, the Private ThreatCloud simply provides a management interface and solves some other issues. We have many customers using SK103154-derived solutions.

Then again, everybody needs a Private ThreatCloud. Smiley Happy

    Nir

0 Kudos
Highlighted
Iron

Nir,

Thanks for adding to this and the additional information. However, I've been asking for some five years now to have a native option in any of the numerous protecting pieces to block tor exit nods from outside -> in traffic. I know content filtering can handle Inside-out but I want to be able to simply block tor exit nodes from reaching anything behind the firewall. ie: https://check.torproject.org/exit-addresses

While using SK103154 we could build such, doesn't CP think this would make a very easy to update (ThreatCloud) feed for a standard option selection in native Checkpoint protection?  If there is such an option and I'm missing it - I would love to know that by the way.

0 Kudos
Highlighted
Nickel

https://community.checkpoint.com/people/alexa2f878495-07e0-48b1-99f4-0c0740ddee67

Hi All,

In my environment i am using Windows base Management (GAIA R77.30) , do i have any option to implement this.

0 Kudos
Highlighted
Admin
Admin

This script runs on the gateway not management.

That said you should really look at moving your management off Windows as R77.30 is the last version to support Windows.

0 Kudos
Highlighted
Nickel

Thanks for your response,i am seeking a solution for my issue. let me elaborate my exact requirement.

I have a list of malicious IP  downloaded from Cisco and multiple source (more than 10k), my gateway doesn't have  accesses to internet. instead of listing blocked IP in custom feed, do we have any provision to read from a text file available locally. if i am blocking 10K IP's will degrade firewall performance?

0 Kudos
Highlighted
Admin
Admin

I'm curious, if your gateway doesn't have Internet access, why would you need to block on the order of 10k IP addresses?

In any case, yes, there are scripts you can execute that will block a list of IPs using a feed you can specify.

While the examples are from our ThreatCloud, you could probably make a version of that file that resides on something your gateway can access. 

See: How to block traffic coming from known malicious IP addresses 

If you can't do that, you can write a script that iterates through your local list using the "fw samp" command to add block IPs.

See: How to configure Rate Limiting rules for DoS Mitigation 

0 Kudos