Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Digo11
Contributor
Jump to solution

Custom Threat Indicator Not Blocking Malicious IP

Hi Everyone.

I wanted to know if the custom threat indicators only apply to outgoing traffic and not incoming. I have a scenario where an IP listed in the custom indicator is not getting blocked. 

Do I need to run/install the IP Block Feature script to block the connections originating from malicious IP sources? The other way I could see is to configure a generic data center object and call the malicious IP database URL.

Checkpoint 5800

ClutserXL Active-Passive

R80.40

Perimeter Firewall

 

Thanks!

Digo.

0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader

Well fwaccel dos deny will be able to block the traffic inbound however consider if the traffic is initiated outbound however if the return traffic arrives this is again an inbound and it will be cut on firewall. So eventually my observation is fwaccel dos deny is effective on blocking inbound and as well as outbound. Yes Inbound it will be knocked off on first SYN packets however outbound it will be killed on Ack packet.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

16 Replies
Ruan_Kotze
Advisor

Hi Digo,

If I recall inbound blocking is only available from R81 onwards - prior to that it was outbound only.  GDC should accomplish what you need, yes.

-Ruan

0 Kudos
Digo11
Contributor

Hi Ruan, 

Is there any SK or document for this? 

Thanks,

Digo.

0 Kudos
Ruan_Kotze
Advisor

Hi Digo,

It's listed in the "Known Limitations" in sk132193

Edit: I see you did already come across this

 

0 Kudos
Blason_R
Leader
Leader

Hello,

Please use fwaccel dos deny -a or -l feature and you should be able to block the desired IP addresses.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Digo11
Contributor

Hi @Blason_R 

Thanks for your response. So, the custom indicator won't block incoming traffic? We get malicious IP lists from our partners and till now we assumed the indicator blocks both-way traffic. I couldn't find any relevant document or SK, where it is mentioned that the custom indicator only blocks only outgoing traffic apart from "Inbound traffic to a host behind the gateway, does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked" in SK 132193.

Thanks.

Digo.

0 Kudos
Blason_R
Leader
Leader

Well fwaccel dos deny will be able to block the traffic inbound however consider if the traffic is initiated outbound however if the return traffic arrives this is again an inbound and it will be cut on firewall. So eventually my observation is fwaccel dos deny is effective on blocking inbound and as well as outbound. Yes Inbound it will be knocked off on first SYN packets however outbound it will be killed on Ack packet.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Digo11
Contributor

Thanks, @Blason_R  I will try it.

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Blason, just a quick question

Indicators by definition it helps AntiVirus and AntiBot blades, but like we know, list of ips are populated inside fwaccel dos deny lists.

Well, these lists are enforced before Access Control and Threat Prevention policies.... if this is true, the statement about antivirus and antibot is not true...am i wrong? thanks

 
0 Kudos
PhoneBoy
Admin
Admin

fwaccel dos rules are enforced in SecureXL and occur even before Implied Rules are allowed 🙂
Indicator lists imported via ioc_feeds are enforced as part of Threat Prevention.

0 Kudos
CheckPointerXL
Advisor
Advisor

That's correct... but, if you add an Indicator you will see the the deny list value, obtained by the command fwaccel dos stats get, that increases, curiosly the same number of IPs contained in the imported Indicator list....

 
0 Kudos
PhoneBoy
Admin
Admin

Which would also indicate that SecureXL is blocking the IPs imported via ioc_feeds.
Makes sense to do that from a performance perspective. 

0 Kudos
the_rock
Legend
Legend

You can create generic data center objects as per SK indicated and use those to block most known bad IP addresses. I can send you the file I use for that if you like.

Andy

PhoneBoy
Admin
Admin

Generic Datacenter objects are only available from R81 and the original poster is in R80.40.
Upgrading is highly recommended since R80.40 will be End of Life at the end of January 2024.

PhoneBoy
Admin
Admin

Custom Threat Indicators only block incoming traffic from R81.
However, if the traffic originates from outside, the reply traffic will be blocked by the Custom Threat Indicator.

Note if you have a significant number of indicators, you should upgrade to R81.20 as it supports significantly more indicators than previous versions.

Digo11
Contributor

Hi @PhoneBoy 

Thanks for the info. I can see one of the IPs listed in the custom indicator hits on port SMTP port 25 to one of our public mail IPs and the traffic is accepted. Somehow, the log shows as an alert but still accepts the connection. 

Thanks,

Digo.

0 Kudos
PhoneBoy
Admin
Admin

The question is: is there traffic flowing to it beyond that initial packet?
In any case, upgrading from R80.40 is highly recommended.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events