This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
maxtaan
Contributor
‎2023-07-30 12:59 AM

Want to Block IP in CLI.

I want to block a lots of ip(around 2k-2.5k). But in smartconsole, if i want to add them it is kind of impossible task to create 2.5k object manually and add them in a group.

So i want to know is there any option/command/way to add these ip via CLI? and create object against an single ip via CLI? and also add them in a group(new/existing) at a one time?

0 Kudos
17 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-07-30 02:03 AM

There are some different options available depending on the gateway version and what blades are enabled?

CCSM R77/R80/ELITE
0 Kudos
maxtaan
Contributor
‎2023-07-30 02:25 AM
In response to Chris_Atkinson

fw vpn cvpn urlf av appi ips anti_bot ThreatEmulation content_awareness Scrub, these fiewall blade i have enabled. Plese provide me all the way or one working way.

OS ver: r81.10(Scalable)

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-30 02:53 AM
In response to maxtaan

CLI or other bulk method examples include:

  • fwaccel dos deny / blacklist - see Here or Here
  • Custom Intelligence Feeds (ioc_feeds) - see Here and Here
  • Management CLI / API - see Here
  • Generic Datacenter objects - see Here and Here
  • Network Feeds (R81.20) - see Here
CCSM R77/R80/ELITE
0 Kudos
maxtaan
Contributor
‎2023-07-30 02:59 AM
In response to Chris_Atkinson

How can i use them? any guide or video? Please help me with details things.

0 Kudos
the_rock
Legend
Legend
‎2023-07-30 10:15 AM
In response to maxtaan

I attached some things for you that can help. Json files, you can use for DC objects in a rule (automatically updated every 5 mins), as well as where you can create indicators themselves). I also pasted some useful links below. You can also make your own ioc feed file.

Andy

 

https://community.checkpoint.com/t5/Partner-Community/How-often-do-ioc-feeds-get-updated/m-p/187524#...

https://support.checkpoint.com/results/sk/sk132193

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

https://community.checkpoint.com/t5/Security-Gateways/What-is-the-maximum-IOC-feed-range/m-p/174070#...

 

Preview file
500 KB
LDCDropNodes.json
TOR.json
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-07-30 09:04 PM
In response to maxtaan

The big differences:

  • fwaccel dos deny / blacklist is handled on the firewall's command line. Good for immediate, but short-lived blocks.
  • Management CLI / API is handled on the management server's command line (or web calls to the management server). You end up with objects in your management server which you can later see with SmartConsole. This is good for long-lived stuff you don't expect to change frequently. Requires a policy push to take effect.
  • ioc_feeds, generic datacenter objects, and R81.20 network feeds cause the firewall to download a list from some external system. ioc_feeds only blocks the things in the list. Generic datacenter objects and R81.20 network feed objects could potentially be used to allow the things in the list. If you have an incident response team which is separate from the firewall team, these features can allow the incident response team to block attackers more quickly by updating a feed which they control.
the_rock
Legend
Legend
‎2023-07-30 10:20 AM

However, IF you prefer to add IPs manually, you can do it via API, example below. Then, once those addresses are in dashboard, its easy to group them.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/#~v1.9%20

mgmt_cli add host name "BAD_185.206.27.13" ip-address "185.206.27.13" --format json
mgmt_cli add host name "BAD_162.208.16.20" ip-address "162.208.16.20" --format json
mgmt_cli add host name "BAD_89.248.165.131" ip-address "89.248.165.131" --format json
mgmt_cli add host name "BAD_185.206.24.70" ip-address "185.206.24.70" --format json
mgmt_cli add host name "BAD_162.208.16.14" ip-address "162.208.16.14" --format json
mgmt_cli add host name "BAD_87.251.75.45" ip-address "87.251.75.45" --format json
mgmt_cli add host name "BAD_185.206.24.50" ip-address "185.206.24.50" --format json

Obviously, you can give them any name you like : - )

Hugo_vd_Kooij
Leader
Leader
‎2023-07-31 12:52 AM
In response to the_rock

I would most definitly put a tag on them.  It has become my "standard" in all scripting to add a tag to objects so I can easiliy use the tag later. Some scripts add up to 3 different tags as it makkes sense in our setup.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
(1)
maxtaan
Contributor
‎2023-07-31 10:06 AM
In response to the_rock

Hello @the_rock Sir,

Mgmt API works only for r81.20. But Environment where i need to add multiple IP it's run on r81.10. And others procudre is so complex(sorry to say). Is these are the best practice for add multiple ip's??

We can add multiple url by exporting .csv file. Is there any option/way like that?

0 Kudos
the_rock
Legend
Legend
‎2023-07-31 10:11 AM
In response to maxtaan

That process works 100% on R81.10, done it many times.

Yes, you can use CSV, but its more appliabce when adding them to app site, as shown below, which you can then use in the rule, as long as you have appc/urlf blade enabled.

Andy

 

Screenshot_1.png

0 Kudos
Dario_Perez
Employee Employee
Employee
‎2023-07-31 10:10 AM

I think fwaccel dos deny is the best way to do this

0 Kudos
the_rock
Legend
Legend
‎2023-07-31 10:15 AM
In response to Dario_Perez

Excellent point @Dario_Perez 

@maxtaan Please refer to below, it has all you need.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/PTG...

https://support.checkpoint.com/results/sk/sk112454

 

0 Kudos
maxtaan
Contributor
‎2023-07-31 10:18 AM
In response to Dario_Perez

Hello @Dario_Perez ,

Is it works in maestro (security group and r.81.10) environment?

0 Kudos
Dario_Perez
Employee Employee
Employee
‎2023-07-31 10:36 AM
In response to maxtaan

check https://support.checkpoint.com/results/sk/sk112454

is supported starting R80.20SP with jumbo, which is included on R1+

 

Also I have used before. 

(1)
JH_Ranger
Contributor
‎2025-06-24 08:52 PM
In response to maxtaan

Hi maxtaan, have you managed to apply the fwaccel dos deny in Maestro? I would also prefer to use fwacccel, as it's a lot quicker than doing policy drops.

Also not sure if that command supports dropping entire subnets. The Threat Prevention guide only mentions singular IPs.

0 Kudos
Wolfgang
Authority
Authority
‎2025-06-24 10:01 PM
In response to JH_Ranger

@JH_Ranger it's supported with Maestro and you can add subnets.

see fwaccel dos deny

garrod
Contributor
‎2025-06-24 10:58 PM

Hi,

IOC Feeds can come in Handy, by using a text file or TOR list, you can block list of IP Addresses with no hassle.

https://support.checkpoint.com/results/sk/sk132193

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events