cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee
Employee

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.

At this moment the following blocklists are implemented:

  • OpenBL
  • Emerging Threats: Known Compromised Hosts
  • TOR exit nodes
  • BruteforceBlocker
  • Blocklist.de All
  • Talos
  • Dshield

The feeds are downloaded, sanity checked and then published on cpdbl.net for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to: https://cpdbl.net

Screenshot of the interface:

cpdbl.png

Gateway details:

These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.

Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.

VSX is not supported for now.

Workflow:

The server(cpdbl.net) downloads all the lists nightly and

  • Validates that all entries are valid IPs.
  • Baselines the lists, makes sure a list does not suddenly grow enormously.
  • Publishes the lists for the clients to download.

The client:

  • Downloads fresh lists every 12 hours
  • Times out entries in the block-table after 12 hours, hence if cpdbl.net is unavailable all entries will be removed at this time.
  • Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)
  • Installs validated entries into blocking tables and waits for 12 hours before starting over again.

To monitor the blocked IP addresses:

R77.30:

In SmartView Tracker, search for "SecureXL message: Quota violation".

R80:

In SmartLog, search for "blade:Firewall Alert".

7 Replies
Highlighted

Re: Dynamic Block Lists for Check Point firewalls

Is there a way to use this with a proxy or does it need to have direct access from the gateway? Talking about R77.30

CP Dynamic Block Lists  is a killer, and I will be adding a customized internal url feed as well in addition to the existing ones on the script, and will modify the script to call that additional feed. 

0 Kudos

Re: Dynamic Block Lists for Check Point firewalls

Scripts need to be touched a bit to work on R80.20.

/opt/CPshrd-R80/bin/ path in all files should be replaced with /opt/CPshrd-R80.20/bin/

Re: Dynamic Block Lists for Check Point firewalls

This is now opendbl.net

0 Kudos

Re: Dynamic Block Lists for Check Point firewalls

Absolutely awesome work Daniel! We love it! As we love dynamic objects 🙂

I "stole" your code (sorry!) and made VSX version that can be executed via crontab or manually if desired and all required protections listed in config file as follows

[Expert@vsx1-ext:0]# cat blacklist.conf
blocklistde-all
bruteforce
etknown
malwaredomain
sslblock
talos
tor-exit
zeustracker

It has hard coded directory set in /home/admin/dynamic_objects as all our dynamic objects are handled there but you can change it yourself of course. Not as pretty from UI point of view.

You will need to supply VS number when running script, i.e ./blacklist.sh 3

 

#!/bin/bash
# VSX version of the opendbl tool https://opendbl.net/
# based on version R80-0.5

. /opt/CPshared/5.0/tmp/.CPprofile.sh
source /etc/profile.d/vsenv.sh
fwv=`fw ver | awk {'print $7'}`
opendblv="0.5"
vsid=$1


# Update log
cd /home/admin/dynamic_objects
echo "`date` *** Starting update ***" >> blacklist.log
echo "   VS-$vsid" >> blacklist.log

# Download all lists via VS0
vsenv 0
while read line; do

  url=`echo "https://opendbl.net/lists/${line}.list"`
  curl_cli -s --cacert opendbl.crt --user-agent "$fwv $opendblv" --retry 10 --retry-delay 60 $url | dos2unix > ${line}.blacklist

done < blacklist.conf

# Implement all lists on desired VS
vsenv $vsid
while read line; do

  # Create arrays with max size of 2000 of IP pairs
  y=0; z=0; todo=()
  while read ip; do
    if ! [[ "$ip" =~ [^0-9.-] ]]; then
      todo[$y]+=" $ip $ip"
        if [ $z -eq 2000 ]; then
          z=0
          let y=$y+1
        else
          let z=$z+1
        fi
    fi
  done < ${line}.blacklist

  # Purge fully existing dynamic objects
  listname=`echo $line | awk -F- '{print $1}'`
  dynamic_objects -do dynob_blacklist_${listname}
  dynamic_objects -n dynob_blacklist_${listname}

  # Update with new IP lists from each array
  for i in "${todo[@]}" ; do

    dynamic_objects -o dynob_blacklist_${listname} -r $i -a
  done

  # Update log
  let x=y*2000+z
  echo -e "      $x \t - $listname IPs set" >> blacklist.log

done < blacklist.conf

echo "*** Update finished ***" >> blacklist.log
echo >> blacklist.log
rm -f *.blacklist

 

 

Re: Dynamic Block Lists for Check Point firewalls

Hello Daniel,

I don't have the skills to implement this safely but I would really want such dynamic IP blacklist on my cluster of R77.30 (with the management already upgraded to 80.X, the rest will follow ).

Can someone do it with me like a freelance or prof services? The alternative is my vendor but it's summer and everything is slower here in Switzerland.

 

thanks a lot,

mike

0 Kudos
Employee
Employee

Re: Dynamic Block Lists for Check Point firewalls

Would anyone be able to comment if these Lists not already be monitored by Anti-Bot or Anti-Virus reputation feeds?

0 Kudos

Re: Dynamic Block Lists for Check Point firewalls

Here is the Forti URL to check such malicious IP:

https://fortiguard.com/learnmore#botnet

These 2 malicious IPs are not in there but in some of the block lists, like:

https://opendbl.net/lists/blocklistde-all.list

141.98.80.67

185.211.245.198

Someone can share other search engines maybe.

 

0 Kudos