Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Blocking IP using custom IOC feeds

Hello All,

I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.

I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script.

 

Please let me know, if there is any work-around for this issue.

19 Replies
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

What steps did you follow to achieve this?
I'll check on the script to see if we can fix the access permissions.
0 Kudos
Highlighted

Re: Blocking IP using custom IOC feeds

Thank you PhoneBoy for replying.

I followed : sk132193.

Below steps we did for configuration:

To add external feed: ioc_feeds add --feed_name blocklist --transport https --resource https://xxx.com --user_name admin_account

ioc_feeds show : Gives message that feed is active

file : $FWDIR/external_ioc/feed_name_folder/blocklist_https  : Shows the IP address fetched from external feed in format: #UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

 

While checking sk103154, it says it is known issue with firewalls behind  proxy.

 

PS: Firewall is standalone and behind proxy. Fw version is :  R80.30 - Build 484

 

0 Kudos
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

The permission issue with the file in sk103154 should be fixed now.
ioc_feeds should support use with a proxy, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Highlighted

Re: Blocking IP using custom IOC feeds

Hi PhoneBoy,

 

I was able to run script as per sk103154. However, still IP is not getting blocked.

I am trying to block a Private IP (as it is Lab environment). I am still able to ping, ssh firewall from that pvt. IP. Any insight?

PS: There is no error logs in :

$FWDIR/log/ioc_feeder.elg
$FWDIR/log/ext_ioc_push.elg

Thanks in advance.

 

Highlighted

Re: Blocking IP using custom IOC feeds

Small Update:

I tried Blocking it from Smart Console also, by uploading the .csv file as Indicators and still IP is not getting blocked.

Is there any limitation like Private IP cannot be blocked (though it is coming from External interface)? I have created a rule on firewall to allow SSH, Ping and 443 from the Same IP (which i am looking to block through Anti-Bot blade)

0 Kudos
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

The mechanism that ioc_feeds uses is Anti-Bot and Anti-Virus.
This works for blocking outbound traffic to the specified IPs from internal networks.
It won't block traffic coming FROM those IPs, however.
For that, you can use the scripts in sk103154.
0 Kudos
Highlighted
Copper

Re: Blocking IP using custom IOC feeds

Hi Phoneboy,

 

thanks for that info, because I had no idea IOC only worked for outbound traffic. Now I just tested it I realise you are right. 

 

As we have IOC setup with both a IP and domain list, is there a way to use sk103154 with domains aswell? I would prefer not to have two separate systems for IP and domain, I want to block incoming and outgoing traffic to my IP list, and all outgoing traffic to my domain list. (R80.20)

 

thanks

 

 

 

0 Kudos
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

No, the scripts in sk103154 only work at the IP level.
With domains, we can really only block if we see the initial DNS query from the client and rewrite it with a non-malicious IP.
That is a function Antibot/Antivirus can provide.
0 Kudos
Highlighted
Copper

Re: Blocking IP using custom IOC feeds

okay thank you.

 

The domain blocking function of IOC waas working well for us but now its stopped blocking the domains and IPs with this error in $FWDIR/log/ioc_feeder.elg:

Feed status ip_list :: engine memory allocation error
Feed status domain_list :: engine memory allocation error

 

Interesting I see the same error on two different clusters that use the same list, I cleared the list out to a single entry in each txt file and still same issue, however if I run "ioc_feeds push" it works successfully and that single entry starts blocking.

 

Also they should really make that clear on sk132193 thats its only outgoing traffic! 

0 Kudos
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

Recommend opening a TAC case on the memory errors you're seeing.
0 Kudos
Highlighted

Re: Blocking IP using custom IOC feeds

Ryan, I'm working on IOCs nowadays as well and I am experiencing the engine memory allocation error that you had in the past. Wondering if you discovered a fix for it? 

I am opening a TAC case tomorrow to tackle this. 

0 Kudos
Highlighted
Copper

Re: Blocking IP using custom IOC feeds

Hi, I think this should fix the memory allocation error:

 

fw ctl set int g_ci_av_sft_classification_buffer_size 16000

 

 

Highlighted

Re: Blocking IP using custom IOC feeds

Thanks Ryan, I checked and we are already at 16000 as this looks to be the default for R80.30. Opening a TAC now. 

0 Kudos
Highlighted
Nickel

Re: Blocking IP using custom IOC feeds

Is the feed source using self-signed certificate? We're having the same exact issue. The feed is retrieved without problems when added, but fails on the next scheduled IOC pull with memory allocation error.

We've had a SR opened until november, did some debugs and now waiting for CP to investigate the issue. I'll update this thread if we come to the solution.
0 Kudos
Highlighted
Nickel

Re: Blocking IP using custom IOC feeds

As promised. Support figured out what the problem was.

The feed resides on an internal server with a certificate from our internal CA, which is not trusted by default. They added all the certificates in the certificate path to ca_bundle.pem. After that it started working without errors.

You can see if you have cert errors by running $FWDIR/bin/ioc_feeder -d -f and checking $FWDIR/log/ioc_feeder.elg. We had certificate errors like this [ERROR] curl_easy_perform() failed: Peer certificate cannot be authenticated with given CA certificates.

We also tried adding the certificates via https policy to Trusted CA's but found out, that the policy install does not add them to ca_bundle.pem. R&D is still investigationg that.

I can go into more detail on how to add the certificates if anyone needs.

I would expect that the process of adding the server public keys to the bundle would be automatic. Maybe in future versions 🙂

0 Kudos
Highlighted
Admin
Admin

Re: Blocking IP using custom IOC feeds

The certificate store used for HTTPS Inspection and the ioc_feeds CLI could also be different 🤔
0 Kudos
Highlighted
Employee+
Employee+

Re: Blocking IP using custom IOC feeds

It actually is a different certificate store
0 Kudos
Highlighted
Silver

Re: Blocking IP using custom IOC feeds

Same thing happened in my lab:

[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed status blacklist-ssl :: engine memory allocation error
[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed log External IOC - External Indicators processing failed
blacklist-ssl: Failed to fetch feed. Resource: https://x.x.x.x/black_list/ip.txt, Reason: Peer certificate cannot be authenticated with given CA certificates

 

But http works well.

0 Kudos
Highlighted
Silver

Re: Blocking IP using custom IOC feeds

Dear all,

For those are using Custom Intelligence Feeds function with self-signed https server, you should use the following command:

export EXT_IOC_NO_SSL_VALIDATION=1

Then start your https ioc feeds, I just fixed this problem, according to sk132193:

Feed's resource can be:

  • URL - HTTP/HTTPS (--transport http --resource "http://10.0.0.1/my_feeds/stix_feed.xml")
    *Self-signed certificate HTTPS resource will propmt for user agreement to update the bundle. It is possible to skip the certificate verification by running "export EXT_IOC_NO_SSL_VALIDATION=1" on the gateway.
0 Kudos