Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rodrigo_Silva
Contributor

How to block traffic coming from known malicious IP addresses R81.10

Hi everyone.


After spending some time trying to configure (via SmartConsole R81.10) the blocking of IP addresses known as malicious, based on sk103154, I finally managed to make it work.

 

I was using the Check Point list (https://secureupdates.checkpoint.com/IP-list/TOR.txt) and whenever I looked at the logs I got the error "Feed format problem. Feed format not supported".

 

The problem is that we are not declaring a file in .csv format.

 

To solve this problem, just select "IP Address" in the type field, and enter "1" in the "Value" field of the custom feed settings.

 

cp_feeds.png

 

Good luck to everyone.

27 Replies
the_rock
Champion
Champion

Well done sir, thank you for sharing this. Happy holidays!

Andy

0 Kudos
Cyber_Serge
Collaborator

Yes, we were recently exploring the feature/function to block IP using custom IOC as sk132193 described. Most of time the issue we ran into with the feed is format. Since different feed come in different format, each IOC feed need to have the format defined correctly. (In your example, type is IP address, and Value is located on 1st column). In some feed column 1 is name and column 2 is value (IP address).

 

Do you have any luck with Threat Intel feed that require API key access?

Rodrigo_Silva
Contributor

That's exactly it.
I haven't tested it with API key yet.
I'm researching it and as soon as I get something I'll post it here.
If you can get something post it here too, please.

DDiaz
Participant

Hi Rodrigo

Do you get output form this command?

 

  • Printing existing feeds

[Expert@HostName:0]# ioc_feeds show

Regards

 

Rodrigo_Silva
Contributor

Hi @DDiaz 

I noticed that feeds added via SmartConsole only appear in SmartConcole, and the same is true for feeds added via cli.

1.png

2.png

3.png

I didn't find this limitation in the documentation.

On sk132193 you can find the list of cli commands.

Regards

DDiaz
Participant

Exactly that is my point, i would like to know how to check the feeds are working properly if   I use smart console. I had a case with the TAC and told me is a must to run the CLI commands to make it work

0 Kudos
Rodrigo_Silva
Contributor

First check if the updates are ok.
You can check this by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

4.png

If everything is fine, you will see the Prevents in the logs on those same blades.

5.png

In my environment, I only see outgoing traffic being prevented.

My expectation was that all traffic originating from IPs known to be malicious would be blocked.

DDiaz
Participant

I can not find this logs in my environment, even if i curls the Urls meaning they are being downloading properly. I would appreciate if CP edit the SK with more details. Is not clear the steps on this. I had all this questions and TAC told us we must to run the cli commands. I can see in your environment works in another way

Regards

the_rock
Champion
Champion

I agree with you. SK could definitely be edited with more details.

0 Kudos
Ruan_Kotze
Advisor

For what it's worth, you will also need to be on at least R81 to drop incoming traffic.

Mstay
Explorer

Rodrigo

 

Which JHF version are you using?

 

Thanks

0 Kudos
Rodrigo_Silva
Contributor

R81.10

Cyber_Serge
Collaborator

@DDiaz , there is a troubleshooting section all the way at the bottom of sk132193. It includes many commands you can use to narrow down the issue.


First have to make sure the feed is pulling correctly, then have to make sure in read/ingest/interpret correctly by Check Point Gateway.

In my experience, the first issue was feed not pulling correctly since I put http instead of https; 2nd issue was the format which I corrected it like @Rodrigo_Silva screenshot show us.

Note that another issue I ran into is: if you are not pulling a remote feed and are importing a csv file locally from smart console, the csv file need to follow exact format as sk132193 describe under the section  "CSV (*.csv) format", which contain 7 fields: UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

0 Kudos
Mstay
Explorer

Hi,

I am running R81.10 in the SMS.

1.png

2.png

3.png

URLS used for feed (or https). http://secureupdates.checkpoint.com/IP-list/TOR.txt

Custom feed settings

Value 1 and type IP Address

Enabled Blades: Full Threat Prevention

curl_cli -v http://secureupdates.checkpoint.com/IP-list/TOR.txt for SMS, GW Successfully

I am able to download properly the txt from the PC running Smart Console

I am not able to see the state of the Fetches by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

Do i missing something?

Regards

0 Kudos
Cyber_Serge
Collaborator

For my experience, the feed I added through smart console are added to all gateway managed by the smart management server (which is what I want).

 

Since your feed is Tor Exit node, it make sense to observe it in outgoing traffic not incoming traffic.

If you want to see something for incoming traffic, try the Talos feed or AlienVault feed, you will see some external IP probing the firewall and prevented by the IPS/IOC feed.

DDiaz
Participant

Thank you very much @Cyber_Serge . Will try that ASAP. Will post my results

0 Kudos
Nir_Naaman
Employee
Employee

TOR exit node IPs are relevant for both ingress and egress blocking, See https://www.cisa.gov/uscert/ncas/alerts/aa20-183a for an analysis.

An operationally viable approach for ingesting IOC feeds into Check Point enforcement points is provided by Infinity NDR. The feeds are managed centrally, and the individual IOCs can be seen and managed in the NDR application. They can then be selectively delivered via NDR "data sets", which are compatible with sk132193.

Note: inbound blocking (as well as IPv6 indicators) are supported starting from R81.

User guide: https://community.checkpoint.com/t5/CloudGuard-NDR/Infinity-NDR-Intel-User-Guide/m-p/131434 

0 Kudos
Mstay
Explorer

Guys

 

What is the output of this command in your environment? 

cat $FWDIR/conf/ioc_feeder.conf
{
"external_ioc": "on",
"interval": "300",
"ioc_bundle": "/database/ca_bundle.pem",
"feeds": {
}
}
[Expert@FW-MGMT-UY:0]#

 

The interval does not change even if you modify it from:

To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.

0 Kudos
Mikael
Contributor

Disclaimer that I'm still on R81 but here I can see the difference between something configured locally and something from the GUI...

 

2022-01-11_16-12-23.png

Cheers

0 Kudos
Mstay
Explorer

Which command was used [Expert@HostName:0]# ioc_feeds show ?

I just have output using CLI IOC feeds. If smart console method is used nothing show

There is a lot off different things regarding this issue. SK must be updated, is very confusing.

 

 

 

0 Kudos
Mikael
Contributor

Yes, thats from ioc_feeds show...

I have 7 feeds configured so there was too much to blur out to get it all in one screenshot 😀

0 Kudos
Mstay
Explorer

@Mikael 

Did you use the Smart Console Method?

Which version of SMS and FW do you have.

I am not able to make it work via Smart console, just CLI way

Followed all the recommendations possible and no luck

Regards

0 Kudos
Mikael
Contributor

Yes, the once that are marked "centrally managed" are done through the GUI.

R81 JHF44.

0 Kudos
Mstay
Explorer

Team

I will make a brief summary about this issue and the results of the case with the TAC.

 

Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not.  We had 4 different environments with SMS in R81.10 and GWS R80.40

It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs

From SK this part is confuse

Installation

The feature is integrated in version R80.30 and above.

Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.

We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.

We also realized in all the environment we tested this file could not be found when you troubleshoot

$FWDIR/log/ext_ioc_push.elg

I think with all the tests we made,  there is a lot of information from the case we had to edit the SK and help the community.

Cheers

 

0 Kudos
mdorairaj
Explorer

Hi @Rodrigo_Silva 

Follows your steps, but I get the error "Checkpoint_TorExitNodes: Feed format problem. Feed format not supported" when i check AV blade logs. Can you please help.

 

Regards,

MD

0 Kudos
Supporto_Checkp
Contributor

hi guys

i'm on R81.10 MDS with Take 45 and some test gateway with 80.40 Take 139 and Take 156.

i've followed the SK and this thread..but it doesn't work as expected.

feed are imported and fetched correctly ( using cli ) (i've tried two differents feeds )

ioc_feeds show
Feed Name: CPtorIP
Feed is Active
File will be fetched via HTTPS
Resource: https://secureupdates.checkpoint.com/IP-list/TOR.txt
Action: Prevent
Feed type: custom_csv


Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
Feed type: custom_csv

 

Total number of feeds: 2
Active feeds: 2
( and from smartconsole log,blade Antivirus I don't see any error )

but if I try to generate some traffic from the firewall TO some of that ip addresses...it simply pass...without being prevented.
is it normal?





0 Kudos
Claudiu3
Explorer

Hi,

 

If you have bersion R81, you could try the sollution suggested here:

https://community.checkpoint.com/t5/Management/How-to-block-traffic-coming-from-known-malicious-IP-a...

"select "IP Address" in the type field, and enter "1" in the "Value" field of the custom feed settings."

0 Kudos