Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
MVP Silver
MVP Silver
Jump to solution

Automated IP Blocking

Hello, Mates.

I have an environment of several VSX Clusters, which are managed from an MDS.

We currently have many Perimeter FWs, and when we have certain IPs reported as “Malicious”, we have the need to block them in explicit rules that we already have created in each of the FWs.
The problem with doing it manually, is that this task “takes a lot of time”, and we want to use some automated way to be able to execute this task.

Is there any way in the Check Point solutions, that allows us to have a more “automated” environment for this type of tasks?

Thanks for your comments.

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold

Btw, figured would update you on this post as well...tested R82 vsx for network feeds, no issues.

Andy

View solution in original post

0 Kudos
13 Replies
the_rock
MVP Gold
MVP Gold

Ola bro,

How are you? Have a look at my post from last year, hope it can help you. Network feeds do NOT require av or ab blades enabled. I would say to begin with, do NOT use stamparm1 and emerg feeds, others are fine, stamparm 2-8.

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

Best,

Andy

0 Kudos
Matlu
MVP Silver
MVP Silver

Hello, my friend.

Some of my Perimeter FWs do have the AV and AB blades enabled, but others do NOT.

Would this way of working with the “Network Feed” work as well in the FWs that have these blades enabled?

Greetings.

0 Kudos
the_rock
MVP Gold
MVP Gold

Yes sir, 100%. Regardless whether you have those blades enabled or not, network feeds work fine. I would make sure you have R81.20 installed, as it lets you test the feeds beforehand. Just for the context, I work often with a smaller hospital (I mean, for comparison, its not the size of Ankara city hospital in Turkey, nothing like that lol), but they were doing the same method for a long time like what you described, adding IPs manually.

I showed them the same post, they added ALL the feeds, in 3 days, they had more than 10 million hits, while before implementing net feeds, there was about 25k hits in 1 year.

Andy

0 Kudos
Matlu
MVP Silver
MVP Silver

And is it possible that even using this method, if it is necessary to add some IPs that report as “Malicious” to our monitoring area, we can somehow add them to the referral “sources”?

For example, you get 3 super strange “Malicious” IPs reported to you.

48.190.1.5
35.120.2.2
191.2.2.4

(Just to give you an example), and you are already using the Network Feeds.
Can these IPs be “tied” to this “Network Feeds” operation? Or would you have to manually create explicit rules to block these particular IPs?

0 Kudos
the_rock
MVP Gold
MVP Gold

Thats right...though, you can search for any given IP when opening the links I posted, same way you can do ctrl+F to search for anything in text file of web page. Keep in mind, any net feed is updated automatically, so you dont have to do anything yourself.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

Btw, even if you have any gateways on R80.xx, those can also do net feeds, but I definitely suggest they be on R81.20, if possible, to utilize all the available options.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

Btw, figured would update you on this post as well...tested R82 vsx for network feeds, no issues.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

@Matlu If you need me to test anything else in the lab, please let me know.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

Just a word of caution though...maybe dont add all of net feeds I provided at once, start with 2 or 3 and then give it couple of days and see how many hits you get, just to make sure there are not inadvertent effects.

Andy

0 Kudos
Matlu
MVP Silver
MVP Silver

1000071876.jpg

From the list of .txt file options, which option do you recommend to use in my ‘Network Feeds’?

0 Kudos
the_rock
MVP Gold
MVP Gold

Hey bro,

Here is the thing. My best suggestion is if you are unsure, always test any IP you are concerned about in below link, its very accurate. We always use it to check those things. Besides, only way to really know is to apply the feed, block it in policy, and then observe and see.

Andy

https://www.abuseipdb.com/

0 Kudos
the_rock
MVP Gold
MVP Gold
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events