Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sh3r
Participant

Blacklisting large no. of IPs

 I have R80.40 Cluster where i need to blacklist 17000 IPs.. these are all rogue IPs shared by our Security Advisories.

Currently i do blacklisting via a manual object in ACL which i update regularly but updating 17000 IPs does not seem plausible , I am not sure whether its possible to block such a no. of IPs in Checkpoint at once.. What is the best way to implement this ? i am aware about fwaccel dos blacklist but is there a limit on the no. of IPs there ? Moreover i dont think i can see logs in SmartConsole for fwaccel blacklist.

 

Please advise.

0 Kudos
15 Replies
genisis__
Leader Leader
Leader

I would suggest IOC feed from a trusted source, alternatively you can create a a .csv file with the IPs and then add these using mgmt_cli command.

I would suggest you break down the file into smaller chunks though, perhaps try 1000 first, but I would probably not go higher then 3000 in one go.

When I did my  import I first created a group and then uploaded the hosts which where then added to this group.

Sh3r
Participant

i have use Csv method but i am not sure how much ip address an object can accmodate..is there a limit to it ? suppose i have created a blacklist object and i add IPs to it via csv file and mgmt cli .. but how far can i go with updating that object ?

0 Kudos
the_rock
Legend
Legend

This is what TAC sent me couple of years back and honestly, I find best method, or you could se script via api command line from dashboard to place multiple entries.

 

--->To add address-range via API:
mgmt_cli add address-range --batch address-ranges_full.csv

#cat address-ranges_full.csv
name,ip-address-first,ip-address-last
range1,10.0.0.0,10.0.0.100

---> To add a network via API:
mgmt_cli add network --batch networks.csv

#cat networks.csv
name,subnet,subnet-mask
network1,10.10.10.0,255.255.255.0
network2,20.20.20.0,255.255.255.0
network3,30.30.30.0,255.255.255.0

---> To add a host 
mgmt_cli add host --batch test.csv

#cat test.csv
name,ip-address
obj1,192.168.1.1

 

If you do it via dashboard api cli, you would do something like this (can acomodate multiple entries)

add host name "BAD_185.206.24.70" ip-address "185.206.24.70"

genisis__
Leader Leader
Leader

Pretty much how I do it, only think I would add is doing a dos2unix on the .csv file.

name ip-address color comments groups
EXT_a.b.c.d_BLOCKIP, 1.1.1.1, red, Blocked IP, BLOCKED_IPs

Sh3r
Participant

Is there a limit on the object a continuously update here..suppose i am creating a blacklist object at the top of ACL and updating it continuously..so any upper limit on the amount of IP addresses that can be accommodated in an object ?

0 Kudos
genisis__
Leader Leader
Leader

I'm not 100% but I think its something like 4000.

0 Kudos
Sh3r
Participant

ohh..i have to add 17k IPs 😞

0 Kudos
the_rock
Legend
Legend

Not that Im aware of, but you may want to confirm with TAC. I never found any official documentation about it, sort of like if there is number of rules that mgmt dashboard can support...its all theoretical really.

0 Kudos
SSlater
Employee
Employee

I recommend sk103154, and setting up a list on your own server, that you can update in your own convenient manner.

How to block traffic coming from known malicious IP addresses

Once we have a feed, we can look to this as the blacklist.

In our SR/Example, we see https://secureupdates.checkpoint.com/IP-list/TOR.txt but you can use a custom Address of your choosing.

0 Kudos
SSlater
Employee
Employee

***In versions R81 and higher we recommend to use Custom Intelligence Feeds instead of the IP Block. 

Sh3r
Participant

Thanks for the article but is this only for incoming connections ?  Also, i have to apply blacklisting in vsx environment as well but as i see here its not supported for vsx

0 Kudos
genisis__
Leader Leader
Leader

I've used the mgmt_cli command in a vsx environment and not had any issues.

0 Kudos
the_rock
Legend
Legend

@genisis__ is right...you can do it 100%. 

0 Kudos
Sorin_Gogean
Advisor

Hello everyone, 

We were looking for a similar process and block certain BAD IP's (or lists of IP's) and we didn't decide yet if we should go with IOC_feeds  (that will be used by AntiBot for dropping traffic) or Generic DataCenter Objects that we used on Firewall rules.

So can you point us  to what would be better fitted for this purpose - block traffic to/from IP's ( we don't address URL's through those) .

 

Thank you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events