cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Blocking IP using custom IOC feeds

Hello All,

I am trying to automatically Block IPs from IOC feeds coming from ServiceNow-Secops. I can see, check point is able to fetch IOCs from Secops however, it is not blocking those IPs.

I am using R80.30 (gateway and management are behind proxy and it is standalone). I check sk103154 and it asks me to install script "ip_block_sk103154.tar" . Unfortunately, with my access i am unable to download this script.

 

Please let me know, if there is any work-around for this issue.

0 Kudos
10 Replies
Admin
Admin

Re: Blocking IP using custom IOC feeds

What steps did you follow to achieve this?
I'll check on the script to see if we can fix the access permissions.
0 Kudos

Re: Blocking IP using custom IOC feeds

Thank you PhoneBoy for replying.

I followed : sk132193.

Below steps we did for configuration:

To add external feed: ioc_feeds add --feed_name blocklist --transport https --resource https://xxx.com --user_name admin_account

ioc_feeds show : Gives message that feed is active

file : $FWDIR/external_ioc/feed_name_folder/blocklist_https  : Shows the IP address fetched from external feed in format: #UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

 

While checking sk103154, it says it is known issue with firewalls behind  proxy.

 

PS: Firewall is standalone and behind proxy. Fw version is :  R80.30 - Build 484

 

0 Kudos
Admin
Admin

Re: Blocking IP using custom IOC feeds

The permission issue with the file in sk103154 should be fixed now.
ioc_feeds should support use with a proxy, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos

Re: Blocking IP using custom IOC feeds

Hi PhoneBoy,

 

I was able to run script as per sk103154. However, still IP is not getting blocked.

I am trying to block a Private IP (as it is Lab environment). I am still able to ping, ssh firewall from that pvt. IP. Any insight?

PS: There is no error logs in :

$FWDIR/log/ioc_feeder.elg
$FWDIR/log/ext_ioc_push.elg

Thanks in advance.

 

0 Kudos

Re: Blocking IP using custom IOC feeds

Small Update:

I tried Blocking it from Smart Console also, by uploading the .csv file as Indicators and still IP is not getting blocked.

Is there any limitation like Private IP cannot be blocked (though it is coming from External interface)? I have created a rule on firewall to allow SSH, Ping and 443 from the Same IP (which i am looking to block through Anti-Bot blade)

0 Kudos
Admin
Admin

Re: Blocking IP using custom IOC feeds

The mechanism that ioc_feeds uses is Anti-Bot and Anti-Virus.
This works for blocking outbound traffic to the specified IPs from internal networks.
It won't block traffic coming FROM those IPs, however.
For that, you can use the scripts in sk103154.
0 Kudos
Ryan_Ryan
Copper

Re: Blocking IP using custom IOC feeds

Hi Phoneboy,

 

thanks for that info, because I had no idea IOC only worked for outbound traffic. Now I just tested it I realise you are right. 

 

As we have IOC setup with both a IP and domain list, is there a way to use sk103154 with domains aswell? I would prefer not to have two separate systems for IP and domain, I want to block incoming and outgoing traffic to my IP list, and all outgoing traffic to my domain list. (R80.20)

 

thanks

 

 

 

0 Kudos
Admin
Admin

Re: Blocking IP using custom IOC feeds

No, the scripts in sk103154 only work at the IP level.
With domains, we can really only block if we see the initial DNS query from the client and rewrite it with a non-malicious IP.
That is a function Antibot/Antivirus can provide.
0 Kudos
Ryan_Ryan
Copper

Re: Blocking IP using custom IOC feeds

okay thank you.

 

The domain blocking function of IOC waas working well for us but now its stopped blocking the domains and IPs with this error in $FWDIR/log/ioc_feeder.elg:

Feed status ip_list :: engine memory allocation error
Feed status domain_list :: engine memory allocation error

 

Interesting I see the same error on two different clusters that use the same list, I cleared the list out to a single entry in each txt file and still same issue, however if I run "ioc_feeds push" it works successfully and that single entry starts blocking.

 

Also they should really make that clear on sk132193 thats its only outgoing traffic! 

0 Kudos
Admin
Admin

Re: Blocking IP using custom IOC feeds

Recommend opening a TAC case on the memory errors you're seeing.
0 Kudos