Solved: Re: Custom Intelligence Feeds to Generic Data Cent...

George_Ellis · ‎2022-09-28

Hello,

We are not running Anti-Bot or Anti-Virus. While looking at creating a Generic Data Center Object to create a blacklist drop rule, I saw detail on Custom Intelligence Feeds. Has anyone found a cheat way to get Custom Intelligence Feeds into the json referenced in a GDCO? I figure it will need to be a script running to update the fields.

Has anyone tried a method like this? Success? Used a python script running either on the MDM or another server where the json file is?

TIA

Sorin_Gogean · ‎2022-09-29

hey,

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally.

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

View solution in original post

PhoneBoy · ‎2022-09-29

Custom Intelligence Feeds are in CSV format and contain a lot more data than a Generic Datacenter object does.
Never heard of anyone converting but seems plausible to script up.

Sorin_Gogean · ‎2022-09-29

hey,

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally.

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

George_Ellis · ‎2022-09-29

Thanks. I had the original ip_blacklist scripts and these will do nicely, Now to figure out if I can use a GDCO in the Applications policy for URL Blacklist... 🙂

Sorin_Gogean · ‎2022-09-29

Hey,

Glad to be of help.

As for GDC Objects for URL BlackList, as I know you can add only IP's to GDC not URLs/FQDNs - but give it a try and let us know.

(if I understood wrongly let me know)

Ty,

PhoneBoy · ‎2022-10-03

RIght, the Network Feed option in R81.20 will support URLs.
Generic Data Center Objects do not support URLs.

George_Ellis · ‎2022-10-24

With the previous version, it was simple to modify the Check Point provided scripts. Just add a source definition and an additional command. Bash script was not an option for the code, but this was it.

#!/bin/bash

url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"
url2="https://blacklist.mycompany.com/IP-list/MyCompIP-blacklist.txt"
timeout=3600
comment="IP-blacklist"

function convert {
     while read ip; do
        if [ ${ip:0:1} != "#" ]
        then
            echo "add -a d -l r -t $timeout -c $comment quota service any source range:$ip pkt-rate 0"
        fi
     done
     echo "add -t 2 quota flush true"
}

echo "$(date): Starting" >> $FWDIR/log/IP-blacklist.log

until fw samp add -t 2 quota flush true; do
     sleep 10;
done

while true;  do
     curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch
	 curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url2 | dos2unix | convert | fw samp batch
     sleep 1200
done

Are you a member of CheckMates?

Custom Intelligence Feeds to Generic Data Center Objects json file?