I recently had a conversation on the quality of various signals of malicious intent. ASNs were brought up as an extremely high-quality signal, as they're much more difficult to get (and to change) than public IPs are. Large numbers of "bulletproof hosting" companies typically send their traffic through a very small number of ASNs. It struck me I don't know if there's a good way to block traffic based on source ASN on a Check Point firewall.

Most of my firewalls have enough RAM they could store the global BGP RIB and I guess use routemaps to refuse import of routes from ASNs I want to block. That seems gross and cumbersome, though. I don't like using routing for access control, as it's too low-visibility. When something is wrong, the problem isn't in the logs you check all the time for other problems.

I could get a global BGP feed to a system which can parse it and generate a feed suitable for use with a Network Feed object. Also feels gross, but at least it would generate good log data in the same place as our other drops.

Maybe a good candidate for an RFE for some updatable objects? It doesn't seem feasible to make an updatable object for every ASN, so maybe something more like a domain object?