known bad IP shouldn´t that be filtered within the IPS blade?

Anti-bot & Anti-virus have such reputation based protections but if you wish to leverage external or custom feeds you need to use something else.

- ioc_feed

- Network feed objects (R81.20)

Sure but correct me out am wrong.

anti bot us for outgoing.

having a checkpoint provided ip list of bad stuff for incoming would be great, such as know bot network. Ips would be perfect for this.

"perfect" is relative, some also might prefer fwaccel dos (SecureXL) level mitigation of such similar lists.

Sure, seen also from check point  side as IPS is something you pay for.

I would be more than happy to have this as a regular dynamic object just as O365 to have “suspected IP ranges and DNS” 

so true 🙂

The “incoming only” block for Anti-Bot was fixed in R81.
Even in R80.40 and earlier, while an outbound packet was allowed, the inbound replies were correctly blocked.

Do you mean that Anti-Bot would block incoming attempts from known “bad” ip addresses to a web server based on these lists it has?

my understanding was been that anti-not was a post infection blade killing the C&C traffic or similar originating from the inside network to destination to C&C “bad ip”

if it dose both then it’s great 🙂
Maybe something I just misunderstood.

I had it reversed prior to R81: Inbound wasn't blocked, but the outbound reply was.
Either way, in R81 and above, feeds imported via ioc_feeds will be blocked inbound or outbound.
This is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

How about anti bot without using custom feeds? 

On ThreatCloud feeds, I don't believe we block inbound (but could be wrong about that).

To utilise custom feeds do need both AB and AV blades enabled not just one of them in R81.10 anyway

Hi the_rock!

can you please let me know how to block multiple IP's on Locally managed R81.10.

Thanks & Regards,

Shanil

Hey @shanil420 ,

Im not overly familiar with SMB appliances, so dont know if same method would work or not, but Im sure there is a way to import a list that can be blocked. Let me spin up a demo and will check for you,

Andy

Thank you so much for your quick reply. Much appreciate the support 👍

Im still checking if there is good way to do this on locally managed SMB.

Andy

Please look at IOC Feeds feature:

sk132193 What is the "Custom Intelligence Feeds" feature?

https://support.checkpoint.com/results/sk/sk132193

Also refer to:
https://community.checkpoint.com/t5/Threat-Prevention/CheckMates-Tips-and-Tricks-IOCs-TAXII-feeds-an...

I was more thinking of adding generic data center object that can be used with .json file to block the bad known IPs, but I dont believe thats possible on locally managed SMB?

Andy

Thank you so much Tal, appreciate your support.

Since im a newbie is there any way i can apply this using GUI.

Sure! in SmartConsole go to - Security Policies > Threat Prevention > Select any Threat Prevention Policy > At the bottom go to - Custom Policy Tools > Indicators 

That would work if it was centrally managed, but its NOT...its locally managed.

Andy

Yes this is locally managed. Is there a way to limit Web console & SSH access by geolocation.?   

awsome! guess this will help. Thank you so much! 

Since this is locally managed how can i add Smartconsole. Will it interfere with the LAN network ?

Will changing this affect my LAN network? As per your view what is the best method to manage checkpoint? can you share me an guide pls