This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
xp
Employee
Employee
‎2025-07-22 08:25 PM

Firewall Script Example: Automatically Block IPs

 

1)Purpose:

Utilize SmartEvent's Automatic Reaction feature to automatically execute a response script when specific attack events (such as Nikto scans) are detected, enhancing automation and real-time threat response.

2)Use Case:

A.Security administrators want to automatically block source IPs upon detecting intrusion behaviors like Nikto Security Scanner scans.

B.Integrates SmartEvent’s event detection with custom scripts to enable fast and automated response without manual intervention.

C.Ideal for test or production environments requiring immediate mitigation of known attack patterns, along with response logging.

3)Requirements:

SmartEvent Server and SmartEvent Correlation Unit must be deployed and enabled.

The relevant attack event (e.g., Nikto scan) must be identifiable in the logs and captured by the Correlation Unit.

An Automatic Reaction rule must be configured and linked to a script (the script should be placed in $RTDIR/bin/ext_commands/ on the SmartEvent Server and granted executable permissions).

 

Preview file
8 KB
0 Kudos
9 Replies
the_rock
MVP Gold
MVP Gold
‎2025-07-23 04:12 PM

Will test it in the lab. Does it create a feed with bad IP addresses?

Andy

0 Kudos
xp
Employee
Employee
‎2025-07-23 08:16 PM
In response to the_rock

Yes, it is recommended to create a drop policy in advance, using a predefined address group as the source. This group will be used to store IP addresses from the malicious IP feed.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-23 08:29 PM
In response to xp

I assume its run on mgmt server?

Andy

0 Kudos
xp
Employee
Employee
‎2025-07-23 08:49 PM
In response to the_rock

Yes, it runs on the management server. Upload the script to $RTDIR/bin/ext_commands/ and make it executable. Please refer to the "R82 Logging and Monitoring Administrator Guide" or the attachment for details.

Preview file
1459 KB
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-23 09:05 PM
In response to xp

Will try in the morning...cheers. Thank you!

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-24 05:11 AM
In response to xp

Just ran it in my R82 mgmt lab and when I invoke the script, it never finishes, not sure why. I followed exact steps you outlined.

Andy

0 Kudos
xp
Employee
Employee
‎2025-07-24 08:23 AM
In response to the_rock

Here are a few things you can check:

1. you can run cat /home/admin/ext_script.txt on the management server to view the full execution log of the script and identify where it might be hanging.

2. If there's no log output at all,please double-check that User Defined Event Policy is properly configured and deployed.The event may not be triggering the Automatic Reaction as expected.

3. Also,verify that the IPS logs are indeed being generated and that the "attack information" field contains the keyword "xxx(Nikto Security Scanner)",as this is required for the script trigger condition.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-24 08:40 AM
In response to xp

I get below.

Andy

[Expert@CP-MANAGEMENT:0]# cat /home/admin/ext_script.txt
2025-07-24 08:08:11 - ===== 新事件触发 =====
[Expert@CP-MANAGEMENT:0]#

0 Kudos
_Val_
Admin
Admin
‎2025-07-23 09:59 PM

Hi @xp , please add some description: use case, purpose, requirements, etc

 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events