- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
UPDATE 04/08/2020: Please visit this page to download the latest version of the script: https://www.francescoficarola.com/check-point-automated-ip-blacklist/
Hello everyone,
my configuration is the following:
- A cluster of three security gateways (R80.20)
- Three Virtual Systems (configured on the three security gateways as follow: active/standby/backup)
I already activated the IOC Feed functionality on one of my VS to block outgoing traffic through Anti-Bot & Anti-Virus blades (sk132193), but I'd like to block incoming malicious traffic as well. I read the sk103154 documentation, which says the script must be ran on the management server.
I followed all steps, but when I run the script, it returns the following error:
[Expert@xntfw-pmgt1:0]# ./ip_block_activate.sh -a on -g gw_list -f feed_urls -s /home/admin/blacklist/ip_block.sh
Error: could not retrieve FWDIR from 10.100.97.101
Error: could not retrieve FWDIR from 10.100.97.101
(10.100.97.101 is the VS' IP)
Indeed, if I run the command responsible of that error into the script, I don't receive any output:
[Expert@xntfw-pmgt1:0]# cprid_util -server 10.100.97.101 getenv -attr "FWDIR"
[Expert@xntfw-pmgt1:0]#
but, if I run the same command with the management IP of the Security Gateway, then it gives me the following output:
[Expert@xntfw-pmgt1:0]# cprid_util -server 192.168.77.192 getenv -attr "FWDIR"
/opt/CPsuite-R80.20/fw1
So... is this functionality available for VSX environments?
Thanks,
Francesco
One more suggestion. You can create a dynamic object and then fill it with output of https://secureupdates.checkpoint.com/IP-list/TOR.txt feed via GW side script. Then, use that object in a drop rule on top of the policy. Also, that should be done on VS context.
You can take bits and pieces from Office365 script here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Basic-script-for-importing-IP-Add...
I still think leveraging MGMT API is easier. Set an empty group, repopulate it with TOR from time to time, publish, push policy.
I can see you are running this in VS0 content. That is the first mistake. Also, use the absolute path for VS FWDIR folder
I'm running in VS0 because that is the management server.
Got it, you are correct.
MDS or SMS? If former, you have to specify mdsenv first.
Also, the SK does not mention VSX among supported targets. I have reached to the case owner for some clarification.
SMS.
Ok, thanks. I'll wait for any news.
Hello,
have you received any news?
Thank you very much,
Francesco
Not just yet, still waiting for the reply. Thanks for your patience.
After reviewing the script, it is based on the physical GW context. Per VS modification is possible, but I do not find it too practical.
Please consider using regular SAM rules instead https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
@_Val_: thank you. Yes, I could use SAM rules, but things are a bit different in that case. I mean, it is supposed to work on monitoring, not on feeds.
May you please share the VS modification for the sk103154?
Thanks again for your support!
Francesco
The script relies on SAM rules, that is the first fact. It creates SAM rules from the feed every 20 minutes and deletes the old ones. Everything is done assuming it is a physical FW, not VSX, running on Gaia. VSX mode is not verified, so it tries to run and fails for you.
You need a completely different method for VSX. The tool should be completely re-written.
So coming to your original question, this tool is not supported for VSX. If you need something automated, take the feed and set up block rules through MGMT API, or, as already suggested, use SAM rules.
One more suggestion. You can create a dynamic object and then fill it with output of https://secureupdates.checkpoint.com/IP-list/TOR.txt feed via GW side script. Then, use that object in a drop rule on top of the policy. Also, that should be done on VS context.
You can take bits and pieces from Office365 script here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Basic-script-for-importing-IP-Add...
I still think leveraging MGMT API is easier. Set an empty group, repopulate it with TOR from time to time, publish, push policy.
Thank you @_Val_ . I will try with MGMT API.
The SK now says: Not supported on VSX Gateway and on Scalable Platforms.
As it should. Just FYI
Hi @_Val_,
I'm just trying to "adapt" the script you linked to my use-case. I've made some changes and everything works well, but I have some problems with blacklists containing a high number of IPs because the API session expires.
For instance, the issue occurs if I try to import the FireHOL Level 3 list (containing more than 17K IPs). Please see the script attached.
I've also added a session-timeout of 1 hour to the login call (line 62):
mgmt_cli login user $v_cpuser password $v_cpuserpw session-timeout 3600 --format json > id.txt
In doing so, the script could import more IPs, but not enough to complete the whole list. Indeed, after around 3K-4K IPs, the session always expires:
code: "generic_err_wrong_session_id"
message: "Wrong session id [oLZge4cBkVQqZSYdLHX0awi3p9PsXnW-VmINXBjMcoc]. Session may be expired. Please check session id and resend the request."
In order to avoid the expiration, I've also added a keepalive before each addition of network object (line 116):
... { print "mgmt_cli keepalive -s id.txt > /dev/null 2>&1; ...
Unfortunately, nothing changed.
Furthermore, in order to save changes "step-by-step", I've added a publish action every 500 additions of network object (line 118-119):
awk '{print;} NR % 500 == 0 { print "mgmt_cli publish -s id.txt"; }' $v_diff_add_sh > $v_diff_add_sh_awk
mv $v_diff_add_sh_awk $v_diff_add_sh
Do you have any suggestions to keep "alive" the session? I can't understand why it expires if there's the keepalive before every network object addition.
Thanks,
Francesco
Look here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Web-API-timeout/td-p/52741
In short, it is not API timeout, it is POST Apache timeout (see the answer in the thread). I would recommend breaking down the list to smaller portion, posting them separately within the same script.
UPDATE 04/08/2020: Please visit this page to download the latest version of the script: https://www.francescoficarola.com/check-point-automated-ip-blacklist/
@_Val_Thank you for the information. Anyway, I changed my approach because mgmt_cli requires too much time to complete a blacklist of more than 20K objects. Furthermore, it adds real objects in the database and that should be avoided. So, I followed your suggestion and I studied dynamic objects; then I wrote another script (based on opendbl.net script).
I love sharing information, so I've attached all the code.
USAGE
That's all... have fun!
Ola Francesco, I'd like to download the scripts, but links are not working.
How do I download them from Checkmates?
Thanks in advance
Gerard
Hey @Gerard_van_Lee1
I will publish scripts on my web site asap to be downloaded. I let you know.
@Gerard_van_Lee1Sorry for the tremendous delay, but I was very busy in past weeks. I eventually published the script and wrote the instruction on my website, please visit: https://www.francescoficarola.com/check-point-automated-ip-blacklist/
Hope this can help!
Very nice info collated on your website [Check Point] Automated IP Blacklist v2 - Francesco Ficarola
I have one question..i need blacklisting to be done bidirectionally.. do i need to enable fwaccel dos config for internal also for bidirectional blocking ?
Hello,
Firts of all, thanks for sharing, it's nice !!
I write this message because we had today a big production impact with one of the list provide by FireHOLE.
Yesterday, we setup this script for the first time and everything was fine. We had only set the https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset list in the source.
This morning, i read on the FireHole website that the Level 1 is recommended, so i just change the level3 to level1 in the script. Few seconds later, we lost the communication with the cluster and it was completely run out of communication.
After investigation, the main difference between the levels 1 and 3 is the presence of 0.0.0.0/8 in the level 1's.
I don't understand why it block anything because it's suppose to be for broadcast messages only.
After unloadlocal + diable the rule in management and push policy again, cluster is now alive and running fine, but my SI Management is not fine with this incident.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
22 | |
17 | |
12 | |
10 | |
9 | |
8 | |
7 | |
7 | |
7 | |
5 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY