Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
b0neyard
Explorer
Jump to solution

Why make blocking Tor nodes so complicated?

Got the request to block Tor nodes on a R81.10 environment.

First thought was the Updatable Objects, which felt to me like a logical place. Unfortunately Tor is not there.

Found SK 103154 - https://support.checkpoint.com/results/sk/sk103154 which suggests using the Generic Data Center object, it also gives a Check Point maintained online list https://secureupdates.checkpoint.com/IP-list/TOR.txt so this felt like the solution.

But that Check Point list is a plain text list and Generic Data Center object requires JSON format.

Apparently I wasn't the first with this problem as I found this script which glues everything together: https://github.com/HGrigorov/checkpoint/blob/main/tor2json

Which is a solution but at two points I feel Check Point is missing a chance to make this so much more user friendly.

1 - Why is that Tor list not in the Updatable Objects? Seen that asked before in 2020 also.

2 - Why is that Tor list not available as a JSON file for a Generic Data Center object (specially as it is mentioned in that SK as a solution for this sitation)?

0 Kudos
2 Solutions

Accepted Solutions
CaseyB
Advisor

I block TOR nodes using the external IOC feeds in R81.10.

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin

The only way to use this file currently is with the Custom Intelligence Feeds options (ioc_feeds).
It cannot be used in either Generic Datacenter Objects or Network Feeds without some modification.
The sk has been updated accordingly.
We are also looking at adding it as an Updatable Object.

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Upgrade to R81.20 and use Network Feeds, which should be able to read/use this file as-is.

the_rock
Legend
Legend

Agree with @PhoneBoy ,R81.20 is your answer.

Andy

CaseyB
Advisor

I block TOR nodes using the external IOC feeds in R81.10.

0 Kudos
the_rock
Legend
Legend

Same here.

Andy

0 Kudos
b0neyard
Explorer

Thanks for the quick replies all.

I dont fully agree that upgrading is easy, the external IOC feed seems interesting although in another module. might be good to add to the SK which lists all the options.

And of course Check Point could just add it to updatable objects 😉

0 Kudos
the_rock
Legend
Legend

I have json file you can use to create generic data object, which can be then used in policy to block known bad IPs and it gets updated every 300 seconds (5 mins)

Andy

0 Kudos
PhoneBoy
Admin
Admin

The only way to use this file currently is with the Custom Intelligence Feeds options (ioc_feeds).
It cannot be used in either Generic Datacenter Objects or Network Feeds without some modification.
The sk has been updated accordingly.
We are also looking at adding it as an Updatable Object.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events