Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HeikoAnkenbrand
Champion Champion
Champion

R80.20 - IP blacklist in SecureXL

Controls the IP blacklist in SecureXL. The blacklist blocks all traffic to and from the specified IP addresses.

The blacklist drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

This can be very helpful e.g. with DoS attacks to block an IP on SecureXL level.

 

For example, the traffic from and to IP 1.2.3.4 should be blocked at SecureXL level.

 

On gateway set the IP 1.2.3.4 to Secure XL blacklist:

# fwaccel dos blacklist -a 1.2.3.4

 

On gateway displays all IP's on the SecureXL blacklist:

# fwaccel dos blacklist -s

 

On gateway delete the IP 1.2.3.4 from Secure XL blacklist:

fwaccel dos blacklist -d 1.2.3.4

 

Very nice new function in R80.20!

 

 

Furthermore there are also the Penalty Box whitelist in SecureXL.

 

The SecureXL Penalty Box is a mechanism that performs an early drop of packets that arrive from suspected sources. The purpose of this feature is to allow the Security Gateway to cope better under high traffic load, possibly caused by a DoS/DDoS attack. The SecureXL Penalty Box detects clients that sends packets, which the Access Control Policy drops, and clients that violate the IPS protections. If the SecureXL Penalty Box detect a specific client frequently, it puts that client in a penalty box. From that point, SecureXL drops all packets that arrive from the blocked source IP address. The Penalty Box whitelist in SecureXL lets you configure the source IP addresses, which the SecureXL Penalty Box never blocks.

 

More under this link:

Command Line Interface R80.20 Reference Guide

 

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
23 Replies
_Val_
Admin
Admin

You need to use this function with LOTS of care, as it is even less visible that SAM rules...

Vladimir
Champion
Champion

@_Val_ , speaking of SAM rules, they are visible in SmartView Monitor, as I am pretty sure you know, and I think it would be a grand idea of including the blacklist and whitelist entries in there as well, possibly in the form of the rules.

Would logging the events associated with whitelisted and blacklisted IPs with, perhaps, heavily suppressed logs be possible?

Are there OS syslog events associated with these actions?

0 Kudos
_Val_
Admin
Admin

@Vladimir Are you referring to SmartViewMonitor legacy GUI client? If so, I would be very surprised if any inclusions are event possible with R80 family

0 Kudos
Vladimir
Champion
Champion

@_Val_ , whyever not? This is still the UI for the Monitoring blade in R80.30.

 

0 Kudos
_Val_
Admin
Admin

@Vladimir 

Once again, I am asking which specific UI you are referring to, one of SmartConsole tabs or to SmartViewMonitor. When you answer, I can explain 🙂

0 Kudos
Vladimir
Champion
Champion

I am talking about SAR portion of the SmartViewMonitor:

image.png

 

I do not see the SAR in the Device and License Information of the SmartConsole:

image.png

 

0 Kudos
_Val_
Admin
Admin

Good, this is what I thought you did, @Vladimir 🙂

This is a legacy client which will be let go at some point. You already have some of its functionality ported to SmartConsole. Personally, I cannot expect anything new being added there.

 

How about adding SAM rules and blacklists visibility as a SmartConsole Extension? All you need is some API magic

0 Kudos
Vladimir
Champion
Champion

@_Val_ , nothing against using API for added capabilities, but not as the replacement of the core capabilities of the earlier version.

Consider: the SAM rules creation, visibility and alerting were built-in R77. Every client had an out of the box ability to take advantage of those. Now, unless you are willing to built something for each client, they are lacking features.

Additionally, (and I may be wrong here), aren't SmartConsole extensions not inherited during upgrade to a new versions?

I have similar take on everything that is not embedded in the product: blacklists, custom scripts, GUIDBedits, kernel parameter tuning, etc.. Haven't you ever came into the environment with the systems modified up-to wazoo and poorly documented?

If we are to rely on these means and methods, all of the changes should somehow, (and ideally) , be noted by the system, auto-documented and exportable.

 With the average lifespan of CP equipment of 5 to 7 years before upgrade and average duration of the security admins employment of 2 years these days, things will fall through the cracks.

HeikoAnkenbrand
Champion Champion
Champion

Bug or feature?

It is also possible to enter networks. In the handbook there is unfortunately only the IP Address in it and not the network.

It is also suggested that the network is be created. But it will unfortunately not be displayed afterwards.

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
JozkoMrkvicka
Mentor
Mentor

Kind regards,
Jozko Mrkvicka
Iain_King
Collaborator

How is this different to SAM?

PhoneBoy
Admin
Admin

The blacklist/whitelist is only IP level (either SecureXL drop this IP always or never subject this IP to the Penalty Box).

fw sam and fw samp allow configuring more granular rules.

HeikoAnkenbrand
Champion Champion
Champion

I agree with Dameon here. Here is a link to sam penalty box sk that has been around for quite a while:

What is the SecureXL penalty box mechanism for offending IP addresses? 

I think the new command is very good for effectively blocking individual IP addresses. For example a DoS attack from a few IP addresses or similar opportunities.

And I also agree with Valeri, the function is to be used with care. Many users will not know it yet and it is also not very transparent visible.

➜ CCSM Elite, CCME, CCTE
HeikoAnkenbrand
Champion Champion
Champion

I also find it interesting that it still works when I disable SecureXL in R80.20. I wouldn't have expected that at this pointSmiley Happy.

➜ CCSM Elite, CCME, CCTE
Timothy_Hall
Champion
Champion

Heiko, blacklists continue to work after SecureXL is disabled in R80.20+ because of the same behavior in the SK below with drop templates, basically all packets associated with a new connection (no connections table match) are always sent to the firewall workers first for handing.

sk150812: High CPU when traffic is dropped by fw_workers

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
JozkoMrkvicka
Mentor
Mentor

In real life, if you are facing DDoS attack (or broadcast storm), you are not able to log into system anyway (lagging, freezing, not able to execute any single command). Happened to me 2 times. The only solution was to find a root cause and cut that machine. So from logical point of view the better solution would be to move this feature into SmartConsole (some hidden place ) and push the command via SIC with triple confirmation alerts.

Kind regards,
Jozko Mrkvicka
HeikoAnkenbrand
Champion Champion
Champion

I think that's gonna be a fundamental discussion. From my point of view, DDoS attacks should be blocked at the provider. You can discuss it for a long time.

If I can't get login to the system during an attack, of course I can't do much.

Everything should be configured on the firewall first. Then I don't have the problems later. 

I like the option to block IP's on SecureXL level. It is simple and effective.

I think the following function "Accelerated SYN Defender" is the better choice for DoS attacks (SYN Flood attack) on Check Point gateways with enabled SecureXL.

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

You can find more in the manual under:

"fwaccel synatk"

Regards,

Heiko

➜ CCSM Elite, CCME, CCTE
Support_Team_Pi
Participant
Participant

HI Guys,

I always use the following commands to drop ips, subnets, ports and a list of known IPs. See sk67861.

CommandDescription
sim dropcfgConfigures drop parameters (run 'sim dropcfg')
sim dropcfg -hPrints the help message with available options for 'dropcfg' parameter
sim dropcfg -lPrints current drop configuration
sim dropcfg -f </path_to/file_name>Sets drop configuration file
sim dropcfg -eEnforces drop configuration on the external interface only
sim dropcfg -yAvoids confirmation
sim dropcfg -rResets drop rules
Sergei_Shir
Employee
Employee

1) The sim dropcfg command is not available in R80.20

2) Refer to the R80.20 Performance Tuning Administration Guide to see all relevant commands.

0 Kudos
GHaider
Participant

just wanted to note that the blacklist with IPs added to the blacklist with

fwaccel dos blacklist -a 1.2.3.4

do not survive a reboot

0 Kudos
mschilt
Explorer

Hey Sergey

I see accelerated drops were remove from SecureXL in R80.20
Are there any plans to bring it back?

Regards, Manuel

 

0 Kudos
Blason_R
Leader
Leader

This is fantastic feature and thanks for sharing.

BTW is there any limitation for number of IP addresses inr fwaccel dos blacklist chain?
Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
rg
Explorer

Hello,

I actually find a limit of 16384 IPs, when my script try to insert the next IP, the response is:

ERROR: IOCTL command CPHWD_IOCTL_DOS_BLACKLIST_ADD to firewall instance 0 was not successful (data->rc = CPHWD_IOCTL_RC_ERROR)

 

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events