This is very helpful.. something i can definitely include in my setup. However, right now i am looking to block a list of ip addresses shared by SOC but i am not sure what is the most efficient way to do so

As @LostBoY mentioned SOC monitoring he is most likely interested in IoC Management as mentioned in my link above.

This looks like what i am looking for but unfortunately i am on R80.40.. anyway i can enforce this on 80.40 ?

Check "Manually Uploading Threat Indicator Files through SmartConsole"

In the R80.40 Threat prevention administration guide.

The CSV syntax is really easy.

Thanks for this..one query here..when the IP in this list is blocked how does the log looks like ? i mean when it is being denied by stealth rule the log payload suggests the name of the rule etc.

It shows like a normal drop, with this text below.
Unfortunately none of the fields that distinguish the feature seam indexed/searchable.

Id Generated By Indexer:false
First: true
Sequencenum: 127
Source: 45.83.65.9
Destination: 
IP Protocol: 1
Securexl Message: The packet's source IP is in the deny list (SecureXL device 0)
Feature Name: DOS/Rate Limiting Deny List
Comment: Deny list
Action: Drop
Type: Log
Policy Name: Standard
Policy Management: 
Policy Date: 2022-02-08T15:50:19Z
Blade: Firewall
Origin: checkpoint
Service: ICMP
Product Family: Access
Interface: 
Description: ICMP Traffic Dropped from 45.83.65.9 to 

Hello.. where exactly are these logs recorded ? can i see this in SmartConsole menu ? 

Yes, if there are connections to any of your blacklisted IPs it will appear in smart console > Logs&Monitor> logs

It will appear like a drop. See my post above.

I haven't figured out how to make a search related to the feature though, I think its not possible.

ok..i created a blacklist by using the syntax above and added one IP there.. i then tried to ping that IP from a host behind my firewall..but in the logs its getting dropped via default deny rule.. shudnt it be blocked via blacklist feature ?

This i have to apply in individual GWs and not in the management server ? and in VSX environment this will be applied in each VS ?

also, this blocks blacklists both incoming and outgoing requests from the mentioned ip right ?

• Apply on Gateway
• Each VS 
• Incoming is fully blocked
• Outgoing is not fully blocked
  • Replies to the outgoing connection will be dropped

what does replied to outgoing connection means ? if someone initiated a connection from inside towards a blacklist ip..it wudnt get blocked ?

I stand corrected, it does block eitherway according to sk:

IP Deny List

The IP deny list feature is the recommended method for blocking all traffic to/from a specific IP ad...

Hi Juan,

Is there a way i can block malicious Ip addresses from internet on Locally managed R81.10 (Checkpoint 1550). 

Here are the sample of log events. 

2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 23639:11: [preauth]
2023 Aug 29 20:21:10 MHT-Gateway-ID-auth.info sshd: Disconnected from 180.101.88.234 port 23639 [preauth]
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:27 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:29 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:29 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:31 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:33 MHT-Gateway-ID- authpriv.alert sshd: pam_tally2(sshd:auth): Tally overflowed for user root
2023 Aug 29 20:22:33 MHT-Gateway-ID-authpriv.notice sshd: pam_tally2(sshd:auth): user root (0) tally 65534, deny 10
2023 Aug 29 20:22:33 MHT-Gateway-ID-auth.warning sshd: [WebUI] administrator user 'root' is locked, try login after 30 seconds
2023 Aug 29 20:22:35 MHT-Gateway-ID-auth.info sshd: Failed password for root from 180.101.88.234 port 34416 ssh2
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Received disconnect from 180.101.88.234 port 34416:11: [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-auth.info sshd: Disconnected from authenticating user root 180.101.88.234 port 34416 [preauth]
2023 Aug 29 20:22:37 MHT-Gateway-ID-authpriv.notice sshd: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.101.88.234 user=root
2023 Aug 29 20:22:39 MHT-Gateway-ID-auth.info sshd: Invalid user admin1 from 157.245.248.106 port 49494
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.err sshd: pam_tally2(sshd:auth): pam_get_uid; no such user
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.warning sshd: pam_unix(sshd:auth): check pass; user unknown
2023 Aug 29 20:22:39 MHT-Gateway-ID-authpriv.notice sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.245.248.106
2023 Aug 29 20:22:40 MHT-Gateway-ID-auth.info sshd: Failed password for invalid user admin1 from 157.245.248.106 port 49494 ssh2
2023 Aug 29 20:22:41 MHT-Gateway auth.info sshd: Received disconnect from 157.245.248.106 port 49494:11: Bye Bye [preauth]