Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
K_montalvo
Advisor
Jump to solution

BLOCK BAD REPUTATION IPS IN A DYNAMIC WAY

Hello experts,

Kindly guide me if its possible to have like a rule, blade or external connector or any recommended configuration in order to have protection on the Gateway perimeter  to block malicious reported IP address range like botnets, hackers etc? This is with the purpose to reduce having to create objects and manually applied to specific existing block rule on the network access layer.

Thanks!

0 Kudos
(1)
2 Solutions

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

ioc_feeds, available natively in R81 SmartConsole - refer sk132193.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

Other options exist depending on your enabled blades and might leverage dynamic / imported objects (sk167210) or the available APIs.

CCSM R77/R80/ELITE

View solution in original post

the_rock
Legend
Legend

Hey bro,

What I always do is use below link, get all IPs from the txt file, slap it in .csv file, import in mgmt, create a rule with group object containing the file you import and thats it.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Chassis_AdminGuide/Topics-Chassis-...

You can also use below sites to confirm if site might be malicious.

https://www.virustotal.com/gui/home/upload

https://www.urlvoid.com

View solution in original post

(1)
32 Replies
Chris_Atkinson
Employee Employee
Employee

ioc_feeds, available natively in R81 SmartConsole - refer sk132193.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics...

Other options exist depending on your enabled blades and might leverage dynamic / imported objects (sk167210) or the available APIs.

CCSM R77/R80/ELITE
Magnus-Holmberg
Advisor

known bad IP shouldn´t that be filtered within the IPS blade?

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Anti-bot & Anti-virus have such reputation based protections but if you wish to leverage external or custom feeds you need to use something else.

- ioc_feed

- Network feed objects (R81.20)

CCSM R77/R80/ELITE
0 Kudos
Magnus-Holmberg
Advisor

Sure but correct me out am wrong.

anti bot us for outgoing.

 

having a checkpoint provided ip list of bad stuff for incoming would be great, such as know bot network. Ips would be perfect for this.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
Chris_Atkinson
Employee Employee
Employee

"perfect" is relative, some also might prefer fwaccel dos (SecureXL) level mitigation of such similar lists.

CCSM R77/R80/ELITE
0 Kudos
Magnus-Holmberg
Advisor

Sure, seen also from check point  side as IPS is something you pay for.

 

I would be more than happy to have this as a regular dynamic object just as O365 to have “suspected IP ranges and DNS” 

https://www.youtube.com/c/MagnusHolmberg-NetSec
the_rock
Legend
Legend

so true 🙂

0 Kudos
PhoneBoy
Admin
Admin

The “incoming only” block for Anti-Bot was fixed in R81.
Even in R80.40 and earlier, while an outbound packet was allowed, the inbound replies were correctly blocked.

0 Kudos
Magnus-Holmberg
Advisor

Do you mean that Anti-Bot would block incoming attempts from known “bad” ip addresses to a web server based on these lists it has?

my understanding was been that anti-not was a post infection blade killing the C&C traffic or similar originating from the inside network to destination to C&C “bad ip”

if it dose both then it’s great 🙂
Maybe something I just misunderstood.

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
PhoneBoy
Admin
Admin

I had it reversed prior to R81: Inbound wasn't blocked, but the outbound reply was.
Either way, in R81 and above, feeds imported via ioc_feeds will be blocked inbound or outbound.
This is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Magnus-Holmberg
Advisor

How about anti bot without using custom feeds? 

https://www.youtube.com/c/MagnusHolmberg-NetSec
0 Kudos
PhoneBoy
Admin
Admin

On ThreatCloud feeds, I don't believe we block inbound (but could be wrong about that).

0 Kudos
cem82
Contributor

To utilise custom feeds do need both AB and AV blades enabled not just one of them in R81.10 anyway

0 Kudos
the_rock
Legend
Legend

Hey bro,

What I always do is use below link, get all IPs from the txt file, slap it in .csv file, import in mgmt, create a rule with group object containing the file you import and thats it.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Chassis_AdminGuide/Topics-Chassis-...

You can also use below sites to confirm if site might be malicious.

https://www.virustotal.com/gui/home/upload

https://www.urlvoid.com

(1)
shanil420
Contributor

Hi the_rock!

can you please let me know how to block multiple IP's on Locally managed R81.10.

 

Thanks & Regards,

Shanil

0 Kudos
the_rock
Legend
Legend

Hey @shanil420 ,

Im not overly familiar with SMB appliances, so dont know if same method would work or not, but Im sure there is a way to import a list that can be blocked. Let me spin up a demo and will check for you,

Andy

(1)
shanil420
Contributor

Thank you so much for your quick reply. Much appreciate the support 👍

0 Kudos
the_rock
Legend
Legend

Im still checking if there is good way to do this on locally managed SMB.

Andy

(1)
Tal_Paz-Fridman
Employee
Employee

Please look at IOC Feeds feature:

sk132193 What is the "Custom Intelligence Feeds" feature?

https://support.checkpoint.com/results/sk/sk132193

 

Also refer to:
https://community.checkpoint.com/t5/Threat-Prevention/CheckMates-Tips-and-Tricks-IOCs-TAXII-feeds-an...

 

(1)
the_rock
Legend
Legend

I was more thinking of adding generic data center object that can be used with .json file to block the bad known IPs, but I dont believe thats possible on locally managed SMB?

Andy

 

 

(1)
shanil420
Contributor

Thank you so much Tal, appreciate your support.

Since im a newbie is there any way i can apply this using GUI.

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Sure! in SmartConsole go to - Security Policies > Threat Prevention > Select any Threat Prevention Policy > At the bottom go to - Custom Policy Tools > Indicators 

 

IoC Feed.png

(1)
the_rock
Legend
Legend

That would work if it was centrally managed, but its NOT...its locally managed.

Andy

(1)
shanil420
Contributor

Yes this is locally managed. Is there a way to limit Web console & SSH access by geolocation.?   

0 Kudos
the_rock
Legend
Legend

Screenshot_1.png

(1)
shanil420
Contributor

awsome! guess this will help. Thank you so much! 

0 Kudos
shanil420
Contributor

Since this is locally managed how can i add Smartconsole. Will it interfere with the LAN network ?

0 Kudos
the_rock
Legend
Legend

Screenshot_2.png

(1)
shanil420
Contributor

Will changing this affect my LAN network? As per your view what is the best method to manage checkpoint? can you share me an guide pls

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events