Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Collaborator

Custom Intelligence Feeds to Generic Data Center Objects json file?

Jump to solution

Hello,

We are not running Anti-Bot or Anti-Virus.  While looking at creating a Generic Data Center Object to create a blacklist drop rule, I saw detail on Custom Intelligence Feeds.  Has anyone found a cheat way to get Custom Intelligence Feeds into the json referenced in a GDCO?  I figure it will need to be a script running to update the fields.  

Has anyone tried a method like this?  Success?  Used a python script running either on the MDM or another server where the json file is?

TIA

0 Kudos
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor

hey,

 

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally. 

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

 

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

Custom Intelligence Feeds are in CSV format and contain a lot more data than a Generic Datacenter object does.
Never heard of anyone converting but seems plausible to script up.

0 Kudos
Sorin_Gogean
Advisor

hey,

 

I'm running smth similar in a python script (actually is adapted from tor2json script), that takes content from several URL's and extract the IP information and builds the GDC JSON file. Script runs on the Management box and JSON file is addressed locally. 

You just need to make sure you treat your sources an sanitize them, and MAKE SURE YOU KEEP THE UUID otherwise the GDC object are not refreshing properly 😊 .

 

Thank you,

PS: can you offer a link for "Custom Intelligence Feeds" you as an example so I can look a bit over.

George_Ellis
Collaborator

Thanks.  I had the original ip_blacklist scripts and these will do nicely,  Now to figure out if I can use a GDCO in the Applications policy for URL Blacklist...  🙂

0 Kudos
Sorin_Gogean
Advisor

Hey, 

 

Glad to be of help.

As for GDC Objects for URL BlackList, as I know you can add only IP's to GDC not URLs/FQDNs - but give it a try and let us know.

(if I understood wrongly let me know)

 

Ty,

0 Kudos
PhoneBoy
Admin
Admin

RIght, the Network Feed option in R81.20 will support URLs.
Generic Data Center Objects do not support URLs.

George_Ellis
Collaborator

With the previous version, it was simple to modify the Check Point provided scripts.  Just add a source definition and an additional command.  Bash script was not an option for the code, but this was it.

#!/bin/bash

url="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"
url2="https://blacklist.mycompany.com/IP-list/MyCompIP-blacklist.txt"
timeout=3600
comment="IP-blacklist"

function convert {
     while read ip; do
        if [ ${ip:0:1} != "#" ]
        then
            echo "add -a d -l r -t $timeout -c $comment quota service any source range:$ip pkt-rate 0"
        fi
     done
     echo "add -t 2 quota flush true"
}

echo "$(date): Starting" >> $FWDIR/log/IP-blacklist.log

until fw samp add -t 2 quota flush true; do
     sleep 10;
done

while true;  do
     curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | convert | fw samp batch
	 curl -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url2 | dos2unix | convert | fw samp batch
     sleep 1200
done

   

0 Kudos