Solved: Custom Threat Indicator Not Blocking Malicious IP

Digo11 · ‎2023-05-28

Hi Everyone.

I wanted to know if the custom threat indicators only apply to outgoing traffic and not incoming. I have a scenario where an IP listed in the custom indicator is not getting blocked.

Do I need to run/install the IP Block Feature script to block the connections originating from malicious IP sources? The other way I could see is to configure a generic data center object and call the malicious IP database URL.

Checkpoint 5800

ClutserXL Active-Passive

R80.40

Perimeter Firewall

Thanks!

Digo.

Blason_R · ‎2023-05-29

Well fwaccel dos deny will be able to block the traffic inbound however consider if the traffic is initiated outbound however if the return traffic arrives this is again an inbound and it will be cut on firewall. So eventually my observation is fwaccel dos deny is effective on blocking inbound and as well as outbound. Yes Inbound it will be knocked off on first SYN packets however outbound it will be killed on Ack packet.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

Ruan_Kotze · ‎2023-05-28

Hi Digo,

If I recall inbound blocking is only available from R81 onwards - prior to that it was outbound only. GDC should accomplish what you need, yes.

-Ruan

Digo11 · ‎2023-05-28

Hi Ruan,

Is there any SK or document for this?

Thanks,

Digo.

Ruan_Kotze · ‎2023-05-29

Hi Digo,

It's listed in the "Known Limitations" in sk132193

Edit: I see you did already come across this

Blason_R · ‎2023-05-28

Hello,

Please use fwaccel dos deny -a or -l feature and you should be able to block the desired IP addresses.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Digo11 · ‎2023-05-29

Hi @Blason_R

Thanks for your response. So, the custom indicator won't block incoming traffic? We get malicious IP lists from our partners and till now we assumed the indicator blocks both-way traffic. I couldn't find any relevant document or SK, where it is mentioned that the custom indicator only blocks only outgoing traffic apart from "Inbound traffic to a host behind the gateway, does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked" in SK 132193.

Thanks.

Digo.

Blason_R · ‎2023-05-29

Well fwaccel dos deny will be able to block the traffic inbound however consider if the traffic is initiated outbound however if the return traffic arrives this is again an inbound and it will be cut on firewall. So eventually my observation is fwaccel dos deny is effective on blocking inbound and as well as outbound. Yes Inbound it will be knocked off on first SYN packets however outbound it will be killed on Ack packet.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Digo11 · ‎2023-05-29

Thanks, @Blason_R I will try it.

CheckPointerXL · ‎2023-06-23

Hello Blason, just a quick question

Indicators by definition it helps AntiVirus and AntiBot blades, but like we know, list of ips are populated inside fwaccel dos deny lists.

Well, these lists are enforced before Access Control and Threat Prevention policies.... if this is true, the statement about antivirus and antibot is not true...am i wrong? thanks

PhoneBoy · ‎2023-06-23

fwaccel dos rules are enforced in SecureXL and occur even before Implied Rules are allowed 🙂
Indicator lists imported via ioc_feeds are enforced as part of Threat Prevention.

CheckPointerXL · ‎2023-06-23

That's correct... but, if you add an Indicator you will see the the deny list value, obtained by the command fwaccel dos stats get, that increases, curiosly the same number of IPs contained in the imported Indicator list....

PhoneBoy · ‎2023-06-23

Which would also indicate that SecureXL is blocking the IPs imported via ioc_feeds.
Makes sense to do that from a performance perspective.

the_rock · ‎2023-05-29

You can create generic data center objects as per SK indicated and use those to block most known bad IP addresses. I can send you the file I use for that if you like.

Andy

PhoneBoy · ‎2023-05-29

Generic Datacenter objects are only available from R81 and the original poster is in R80.40.
Upgrading is highly recommended since R80.40 will be End of Life at the end of January 2024.

PhoneBoy · ‎2023-05-29

Custom Threat Indicators only block incoming traffic from R81.
However, if the traffic originates from outside, the reply traffic will be blocked by the Custom Threat Indicator.

Note if you have a significant number of indicators, you should upgrade to R81.20 as it supports significantly more indicators than previous versions.

Digo11 · ‎2023-05-29

Hi @PhoneBoy

Thanks for the info. I can see one of the IPs listed in the custom indicator hits on port SMTP port 25 to one of our public mail IPs and the traffic is accepted. Somehow, the log shows as an alert but still accepts the connection.

Thanks,

Digo.

PhoneBoy · ‎2023-05-30

The question is: is there traffic flowing to it beyond that initial packet?
In any case, upgrading from R80.40 is highly recommended.

Are you a member of CheckMates?

Custom Threat Indicator Not Blocking Malicious IP