Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Carl_Neidhardt1
Explorer

Is sk103154 "How to block traffic coming from known malicious IP addresses" supported in R80.20?

sk103154 "How to block traffic coming from known malicious IP addresses" does not reference R80.20.  Are the ip_block scripts and processes supported in R80.20?  Thanks!

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

The SK lists R80.20 as one of the relevant versions.

0 Kudos
Carl_Neidhardt1
Explorer

It does now.  Smiley Happy  Thanks!

0 Kudos
Douglas_Rich
Contributor

but is it the recommended way?

sk103154 is just a few clever bash scripts, not really a "feature"  (still to who ever wrote it, fun cool good job!)

sk103154 has no support for provider-1 and no support for vsx

 

Sure would be cool if they just put this in the same place as "Updatable Objects" sk131852

0 Kudos
PhoneBoy
Admin
Admin

There's nothing in this particular solution that seems to preclude use in a MDM or VSX environment that I'm aware of.
The one thing I can see is the underlying "fw samp" is global (not per VS).

There is a note that you should consider using the Custom Intelligence Feature to implement this instead (for R80.10+).
See: https://supportcenter.us.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&so...
0 Kudos
Douglas_Rich
Contributor

I read through the "Custom Intelligence Feature" a few times this morning.. I think it's missing some basic explanation (the for dummies version) still haven't wrapped my head around what they are trying to tell us. Plus those require the Anti-Bot and Anti-Virus Blades so it's off the table for some customers and kills any apple to apple comparison.
0 Kudos
PhoneBoy
Admin
Admin

The TL;DR: You can tell the gateway to import a feed of IOCs on a periodic basic.
The IOCs in those feeds will get blocked by the AV and/or Anti-Bot blades.
The rest of the SK talks about the formats the feed can be in and how to tell the ioc_feeds command to interpret the feed.

This is useful if the feed contains things other than IPs (things like URLs or file hashes).
If you're just doing IPs, then you can use sk103154 or any other variant that scripts calls to the fw samp command.
Updating dynamic objects to do the same thing is also an option as well, e.g. https://community.checkpoint.com/t5/Developers-API-CLI/Dynamic-Object-Update-Scheduler-Script/m-p/39...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events