This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jesús_Toledano
Contributor
‎2018-02-11 10:37 PM
Jump to solution

Blocking TOR exit nodes with Python and R80.10 API

Hi all,

I wrote a script in Python using our API. The goal was clear, block around 1k IP addresses automatically and in a visual way, not through fw sam rules Smiley Happy

You can execute this script every day manually or you can schedule it using Crontab for example.

Tu use it in your environment you just need to change these variables at the begining and execute it! 

You can find the script here: GitHub - toledanosjesus/chkp 

After the first execution of the script, you just need to configure correctly your firewall policy. You need to have something similar to this:

Be aware this script is using python 2.7. You'll need to modify it a bit in case you want to use python 3.x

Enjoy!

Labels
chkp_r80_tor.zip
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-11-24 01:19 AM
In response to Chris_Atkinson
Jump to solution

Better use SecureXL penalty box. It is a mechanism that performs an early drop of packets arriving from suspected sources. 

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. It is an easy way to block certain IP addresses quickly and eficiently on SecureXL level.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy or SAM rule to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

fwaccel dos blacklist -a 1.2.3.4

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

 fwaccel dos blacklist -d 1.2.3.4

More to SecureXL penalty box read here :

R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“ 

I have created a script to execute this command on all gateways at the same time or on a singel gateway. 

Read more about this script here:

- GAIA - Easy execute CLI commands from management on gateways
- GAIA - Easy execute CLI commands on all gateways simultaneously

I execute this script in a loop on the management server and submit all tor network IP's from management to gateway.

Advantage: I can adjust the addresses almost in real time and don't have to install a policy.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
Robert_Decker
Advisor
‎2018-02-12 01:08 AM
Jump to solution

Very nice, good work!

Please note that we have a python development SDK for API developers on github - 

GitHub - CheckPoint-APIs-Team/cp_mgmt_api_python_sdk: Check Point API Python Development Kit 

It is an open source and includes usage examples.

Robert.

G_W_Albrecht
Legend Legend
Legend
‎2018-02-12 01:24 AM
Jump to solution

I like this one, too !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2018-03-04 01:51 AM
Jump to solution

nice script

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Chris_Atkinson
Employee Employee
Employee
‎2019-11-24 12:45 AM
Jump to solution

Nice script and probably best used with drop templates / optimized drops (sk90861) enabled and with some consideration of rule position.

CCSM R77/R80/ELITE
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-11-24 01:19 AM
In response to Chris_Atkinson
Jump to solution

Better use SecureXL penalty box. It is a mechanism that performs an early drop of packets arriving from suspected sources. 

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses. It is an easy way to block certain IP addresses quickly and eficiently on SecureXL level.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy or SAM rule to drop the packets. This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

fwaccel dos blacklist -a 1.2.3.4

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

 fwaccel dos blacklist -d 1.2.3.4

More to SecureXL penalty box read here :

R80.x - Performance Tuning Tip - DDoS „fw sam“ vs. „fwaccel dos“ 

I have created a script to execute this command on all gateways at the same time or on a singel gateway. 

Read more about this script here:

- GAIA - Easy execute CLI commands from management on gateways
- GAIA - Easy execute CLI commands on all gateways simultaneously

I execute this script in a loop on the management server and submit all tor network IP's from management to gateway.

Advantage: I can adjust the addresses almost in real time and don't have to install a policy.

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Josef_Pecher
Explorer
‎2019-11-24 01:31 AM
Jump to solution

nice

0 Kudos
quannl12
Explorer
‎2020-04-13 11:02 AM
Jump to solution

Nice. Does it still work with the R80.40 version?
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top