Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
MVP Diamond
MVP Diamond

Network feed

Hey boys and girls,

Happy Friday! Figured would share this, as its super useful, specially for anyone who is not running AV or AB blades on the firewall to block known bad IPs out there. All you do is create new network feed (can only be tested if running R81.20) and then those can be used to block the traffic from those feeds. There are 8 of them and all you do is replace number 1-8 in the link below:

Github link -> https://github.com/stamparm/ipsum

feed example -> https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt

You can create 8 separate network feeds, simply keep replacing numbers sequentially, 1 to 8.

Thanks @delToro1 for sharing this in my other IOC post.

I set it up in my Azure lab and so far, got 140K hits in less than 1 day, that is super impressive even though its Azure, but I got no hosts behind the fw in that lab at all.

Example:

Screenshot_1.png

Thanks a bunch as well to Miroslav Stampar for creating this.

https://github.com/stamparm

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

 

IMPORTANT NOTE:

PLEASE DONT USE EMERG AND SAMPARM FEED 1 TO BEGIN WITH, since I had few customers having issues with those feeds. Samparm 2-8 are fine, no issues.

 

Best,

 

Andy

Best,
Andy
"Have a great day and if its not, change it"
(1)
48 Replies
the_rock
MVP Diamond
MVP Diamond

You got it, thats right.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Latest update with lots of links available for net feeds.

Andy

https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Hey guys,

I know post is more than a year old, but found another feed that has probably around 15 mil entried, same as emerg threat one, so be careful if you do decide to use it.

Andy

https://www.spamhaus.org/drop/drop.txt

reference:

http://iplists.firehol.org/

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver

Bro,

Have you used an internal server as a “source” to block IPs that “escape” from public Internet sources?

Is it possible to do this?

I have several IPs that I can't find in any of the public sources, and I want to know if we can integrate a Windows/Linux-type server to add the new IPs we need there.

Cheers

0 Kudos
the_rock
MVP Diamond
MVP Diamond

O yea, worked in my lab just fine.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver

Can you share an image of how you have configured your server in SmartConsole to achieve this goal, please?

Are you using Windows/Linux?

Do you need a license for this?

Cheers

0 Kudos
the_rock
MVP Diamond
MVP Diamond

I dont have that server online any more, but literally rule would be that server as source, net feeds as dst, block and then same rule, just other way around, You got my email, be free to message me offline, we can connect that way.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Bro, what exactly was failing for this? Do you have any relevant logs, captures?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Matlu
MVP Silver
MVP Silver

Hey
Not exactly.

We want to implement it for the first time because we need to generate massive blocks of IPs and domains with a bad reputation.

In many public sources, our IPs and domains reported by our Monitoring area do not appear, so we want to “optimize” this block.

We want to know if we need a “special” license to use Network Feed, and if we can use a Windows Server, where we can include the txt files (one for IPs and another for domains).

0 Kudos
the_rock
MVP Diamond
MVP Diamond

Nope, you do NOT need any special license to use it. I have eval in my labs and I have used net feeds for some time, no problems.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond

Bro, I messaged you offline about this.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin

Network Feed is considered a basic firewall feature and does not require a specific license.
Refer to the documentation for more details: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid... 

0 Kudos
Jean-Francois_G
Contributor

Anyone is having issue with accessing all the different file 

Ex: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt

 

Im receiving 

404: Not Found

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond

Works fine for me, net feed as well, just tested it, both R81.20 and R82.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Jean-Francois_G
Contributor

Yeah all back online i open a ticket on this site and he fixed it 

 

Link dead ? · Issue #82 · stamparm/ipsum

 

Not sur if it was him but ive tried the links from diffferent location and i was having error on both location 

 

Ive received email like this that what alert me 

 

HeaderDateHour: 18Nov2025 16:05:24; ContentVersion: 5; HighLevelLogKey: N/A; Uuid: {0x0,0x0,0x0,0x0}; SequenceNum: 1; Action:  ; Origin: infFire-s01-01; IfDir: >; InterfaceName: N/A; Alert: mail; OriginSicName: CN=infFire-s01-01,O=CHKMGMT..skav9z; efo_object_name: IOC_IPSUM_7; calc_desc: Error: Update of the Network Feed 'IOC_IPSUM_7' failed because the Security Gateway could not reach the destination. Please edit the object and click 'Check' in order to get more details.; efo_url: https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt; efo_ip_ranges: ; efo_domains: ; efo_records_count: ; efo_invalid_count: ; ProductName: VPN-1 & FireWall-1; ProductFamily: Network

 

Thanks for sharing this BTW i configured this yesterday it's really cool 

the_rock
MVP Diamond
MVP Diamond

Excellent! 

404GIF.gif

Best,
Andy
"Have a great day and if its not, change it"
George_Ellis
Advisor

Zombie Thread Alert - Update
I now have both Network Feeds and GDC working to blacklist IPs.

A note to flag what might be unexpected behavior (but it is not).  The method using ip_block_activate.sh, see https://support.checkpoint.com/results/sk/sk103154, mentions a limitation in that it does not support IPv6.  Network feeds have a similar behavior when using the tor.txt as a blacklist object in a regular FW rule.  If you test your network feed, you get "Unable to process 907 out of 2288 lines in the feed." (numbers may vary as the list updates).  If you download the file, sort it, and count the number of IPv6 entries, you get... 907
The look like this

[2a12:a800:0002:0001:0045:0141:0215:0238]

The Test feed dialog does state that is did process 1381 IPs otherwise (the IPv4) entries.

 

NetworkFeedWarning.png

0 Kudos
Roslany
Employee
Employee

IPv6 should work if the firewall is enabled to process IPv6 traffic:

0 Kudos
George_Ellis
Advisor

Oops.  I meant to mention that IPv6 support is off in the environment.  Thanks for the catch.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events