Create a Post
Showing results for 
Search instead for 
Did you mean: 

Dynamic Block Lists for Check Point firewalls

I have cooked together some further improvements on Check Points 'block TOR' scripts and built a small service around it. This is not an official Check Point function/product and is provided by me in my spare time.

At this moment the following blocklists are implemented:

  • OpenBL
  • Emerging Threats: Known Compromised Hosts
  • TOR exit nodes
  • BruteforceBlocker
  • All
  • Talos
  • Dshield

The feeds are downloaded, sanity checked and then published on for free. I am currently running all lists on two separate clusters without any noticeable performance hit. Of course ymmv so all feedback is appreciated. If you want to try it out go to:

Screenshot of the interface:


Gateway details:

These scripts utilize the rate limiting policy in SecureXL. Therefore blocking is done in fastpath and should not impact performance noticably.

Connections from IPs listed in the activated blocklists are only blocked INBOUND. Outgoing communications are currently allowed. I have roadmapped a toggle for this.

VSX is not supported for now.


The server( downloads all the lists nightly and

  • Validates that all entries are valid IPs.
  • Baselines the lists, makes sure a list does not suddenly grow enormously.
  • Publishes the lists for the clients to download.

The client:

  • Downloads fresh lists every 12 hours
  • Times out entries in the block-table after 12 hours, hence if is unavailable all entries will be removed at this time.
  • Validates that only entries containing numbers and "-" are read into the system. (to stop possible code injection)
  • Installs validated entries into blocking tables and waits for 12 hours before starting over again.

To monitor the blocked IP addresses:


In SmartView Tracker, search for "SecureXL message: Quota violation".


In SmartLog, search for "blade:Firewall Alert".

8 Replies

Is there a way to use this with a proxy or does it need to have direct access from the gateway? Talking about R77.30

CP Dynamic Block Lists  is a killer, and I will be adding a customized internal url feed as well in addition to the existing ones on the script, and will modify the script to call that additional feed. 

0 Kudos

Scripts need to be touched a bit to work on R80.20.

/opt/CPshrd-R80/bin/ path in all files should be replaced with /opt/CPshrd-R80.20/bin/


This is now

0 Kudos

Absolutely awesome work Daniel! We love it! As we love dynamic objects 🙂

I "stole" your code (sorry!) and made VSX version that can be executed via crontab or manually if desired and all required protections listed in config file as follows

[Expert@vsx1-ext:0]# cat blacklist.conf

It has hard coded directory set in /home/admin/dynamic_objects as all our dynamic objects are handled there but you can change it yourself of course. Not as pretty from UI point of view.

You will need to supply VS number when running script, i.e ./ 3


# VSX version of the opendbl tool
# based on version R80-0.5

. /opt/CPshared/5.0/tmp/
source /etc/profile.d/
fwv=`fw ver | awk {'print $7'}`

# Update log
cd /home/admin/dynamic_objects
echo "`date` *** Starting update ***" >> blacklist.log
echo "   VS-$vsid" >> blacklist.log

# Download all lists via VS0
vsenv 0
while read line; do

  url=`echo "${line}.list"`
  curl_cli -s --cacert opendbl.crt --user-agent "$fwv $opendblv" --retry 10 --retry-delay 60 $url | dos2unix > ${line}.blacklist

done < blacklist.conf

# Implement all lists on desired VS
vsenv $vsid
while read line; do

  # Create arrays with max size of 2000 of IP pairs
  y=0; z=0; todo=()
  while read ip; do
    if ! [[ "$ip" =~ [^0-9.-] ]]; then
      todo[$y]+=" $ip $ip"
        if [ $z -eq 2000 ]; then
          let y=$y+1
          let z=$z+1
  done < ${line}.blacklist

  # Purge fully existing dynamic objects
  listname=`echo $line | awk -F- '{print $1}'`
  dynamic_objects -do dynob_blacklist_${listname}
  dynamic_objects -n dynob_blacklist_${listname}

  # Update with new IP lists from each array
  for i in "${todo[@]}" ; do

    dynamic_objects -o dynob_blacklist_${listname} -r $i -a

  # Update log
  let x=y*2000+z
  echo -e "      $x \t - $listname IPs set" >> blacklist.log

done < blacklist.conf

echo "*** Update finished ***" >> blacklist.log
echo >> blacklist.log
rm -f *.blacklist




Hello Daniel,

I don't have the skills to implement this safely but I would really want such dynamic IP blacklist on my cluster of R77.30 (with the management already upgraded to 80.X, the rest will follow ).

Can someone do it with me like a freelance or prof services? The alternative is my vendor but it's summer and everything is slower here in Switzerland.


thanks a lot,


0 Kudos

Would anyone be able to comment if these Lists not already be monitored by Anti-Bot or Anti-Virus reputation feeds?

0 Kudos

Here is the Forti URL to check such malicious IP:

These 2 malicious IPs are not in there but in some of the block lists, like:

Someone can share other search engines maybe.


0 Kudos

OK, so is this still the way to do things now that we have the ability to use external IOC feeds?


Open for discussion either way, just trying to think about improving things, and handling multiple feeds.


I  believe that I am going to either an IOC or a dynamic block list for stuff that I am seeing with my clients to share data among them anonymously.


Ted Serreyn


0 Kudos