This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-04-26 09:21 AM

Network feed

Hey boys and girls,

Happy Friday! Figured would share this, as its super useful, specially for anyone who is not running AV or AB blades on the firewall to block known bad IPs out there. All you do is create new network feed (can only be tested if running R81.20) and then those can be used to block the traffic from those feeds. There are 8 of them and all you do is replace number 1-8 in the link below:

Github link -> https://github.com/stamparm/ipsum

feed example -> https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt

You can create 8 separate network feeds, simply keep replacing numbers sequentially, 1 to 8.

Thanks @delToro1 for sharing this in my other IOC post.

I set it up in my Azure lab and so far, got 140K hits in less than 1 day, that is super impressive even though its Azure, but I got no hosts behind the fw in that lab at all.

Example:

Screenshot_1.png

Thanks a bunch as well to Miroslav Stampar for creating this.

https://github.com/stamparm

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

 

IMPORTANT NOTE:

PLEASE DONT USE EMERG AND SAMPARM FEED 1 TO BEGIN WITH, since I had few customers having issues with those feeds. Samparm 2-8 are fine, no issues.

 

Best,

 

Andy

(1)
25 Replies
PhoneBoy
Admin
Admin
‎2024-04-26 10:58 AM

Nice one!

the_rock
Legend
Legend
‎2024-04-26 10:59 AM
In response to PhoneBoy

Thank you 🙂

0 Kudos
the_rock
Legend
Legend
‎2024-04-26 11:21 AM
In response to PhoneBoy

Btw, just added all 8 feeds to see how many IP addresses were there, showed 234,909 all together, not bad 🙂

Andy

0 Kudos
delToro1
Contributor
‎2024-04-29 12:57 AM

So cool!! 😉

the_rock
Legend
Legend
‎2024-04-29 03:54 AM
In response to delToro1

Absolutely!

0 Kudos
the_rock
Legend
Legend
‎2024-04-30 04:55 AM

Just to add, I also found below, which probably has millions of bad IP addresses, as it contains LOTS of /16 subnets. I did a search and saw there was 131 entries for /16, so right there thats 8.5 million, plus remaining /21,/22,/23,/17 etc...would not be surprised its close to 15 M all together.

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Best,

Andy

0 Kudos
Scottc98
Advisor
‎2024-05-01 09:57 AM
In response to the_rock

@the_rock    What is the result if the feed in question on your block rule contains no entries at all (i.e. the feed source becomes empty and the previous cached files on the GW is cleared)?    Does it result in no matches and therefore nothing will hit it?      More fearful of some situation where it starts blocking more than it should be 🙂  

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-05-01 11:32 AM
In response to Scottc98

I noticed one in my lab with no entries, but had not seen any such issues as of yet, what you described.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-05-01 11:45 AM
In response to Scottc98

One thing I will say though, as a word of caution, though those feeds block BUNCH of bad IPs, but it could happen that something is blocked inadvertently where people may need access to the cloud portal. In my experience, its not often, but there is a chance for it.

Andy

0 Kudos
rrbranco
Collaborator
Collaborator
‎2024-07-04 08:42 AM
In response to the_rock

https://support.checkpoint.com/results/sk/sk132193

"

...

IP Allow List (Exception List)

The IP whitelist provides a convenient way to allow certain IP addresses to bypass the enforcement actions, that have been defined by threat intelligence feeds.

This document provides instructions for managing IP addresses within the IP white list, also known as the IP exception list.

  1. Edit the File:

vi $FWDIR/conf/ip_whitelist.eng

  1. Append IP Addresses:

Add the desired IP addresses, one per line.

  1. Save Changes:

Ensure you save the file after adding the IP addresses.

Exemption from Enforcement: IP addresses listed in the $FWDIR/conf/ip_whitelist.eng file will not be subject to enforcement actions even if they appear in any of the threat intelligence feeds.

 

Question: 

  • Is this file located on the Management Server or GW ?
    • If on the Management Server, how do we update it on MaaS ?  The same way as we do with $FWDIR/lib/table.def ?
  • What is the syntax ?  One IP per line or IP/mask to allow a network ?
  • Can it be Dynamically updated from a Datacenter object from AWS / Azure / GCP ... ?
  • How often it is read ?  On a policy push operation ?  I mean, if we include and/or exclude something, when it will start to be enforced with the recent changes ?

 

 

 

Besides that, IMHO information about "IP Allow list" could be included on the Admin Guide, like here (or close) for instance:  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

 

🖖

Best regards,  

 

0 Kudos
the_rock
Legend
Legend
‎2024-07-04 09:02 AM
In response to rrbranco

The file is 100% on the mgmt server. Does it get auto updated? Im not so sure about that as per sk. Syntax is simply one IP per line, as mask will always be /32 anyway.

Andy

0 Kudos
Roslany
Employee
Employee
‎2025-03-09 07:24 AM
In response to rrbranco

I believe this guide specifically addresses IoC feeds. Since network feeds are set within regular access drop rules, you only need to create an additional allow rule above it with the relevant objects to serve as an 'exception'.

0 Kudos
the_rock
Legend
Legend
‎2025-03-09 07:31 AM
In response to Roslany

Thats true, but I wanted to point out with emerg feed, around 15M ip addeesses, its hard to know what should be exempted, unless 100% certain. Im confident stamparm feeds 2-8 are good, no issues. Not saying other 2 are bad, but they do cause cpu/connectivity problems.

Andy

0 Kudos
George_Ellis
Advisor
‎2024-09-16 06:30 AM

Hey Andy,

Did you create the Network Feed objects as globals or strictly local (Generic DC Obj do that)?

 

0 Kudos
the_rock
Legend
Legend
‎2025-02-28 06:26 AM

Hey everyone,

I know this post is almost year old, but I feel its important to highlight something. I had customer tell me recently they used emerg feed below and it caused issues on their network, so just a word of caution, maybe do NOT use it in the beginning, since it has about 15.5 M IP addresses, so can definitely cause problems. Safe to use other 8.

To be precise, number of IPs is 15,455,886

Andy

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-28 09:13 AM
In response to the_rock

15 million IPs is a bit beyond what we tested for Network Feeds (2 million).
Possible that has something to do with it.

the_rock
Legend
Legend
‎2025-02-28 09:15 AM
In response to PhoneBoy

I think so too.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-02-28 02:04 PM

Latest update. Below link also contains some great stuff for IOC.

Nice weekend everyone 🙂

Andy

 

https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file

DeltaUnit
Explorer
‎2025-03-07 02:03 PM

I got this running in my lab and shot up my CPU to 90% - had to get rid of it. 

0 Kudos
the_rock
Legend
Legend
‎2025-03-07 03:57 PM
In response to DeltaUnit

Just remove emerg one and samparm 1, others are fine.

Andy

the_rock
Legend
Legend
‎2025-03-08 10:07 AM
In response to DeltaUnit

This is super useful info too, since @PhoneBoy mentioned 2 million entries is the limit currently, and emerg net feed has more less, about 15 M entries, so definitely way more than officially supported. Not sure why stamparm 1 feed is causing issues for people, since its less than 200K entried, but we had one customer use stamparm 2-8 feeds and in 4-5 days, they had almost 10M hits, so definitely working well. For the context, I had a customer do this while ago, they are smaller hospital, and they told me in a week, there was almost 100M hits, compated to few thousands with manual IPs they were adding before doing net feeds.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-04-28 11:01 AM

Hey guys,

Quick update...thanks to @Matlu , adding one more feed.This one has BUNCH of sub-feeds inside it.

Andy

https://lists.blocklist.de/lists/

0 Kudos
Matlu
Advisor
‎2025-04-28 12:13 PM
In response to the_rock

Hey, Bro.

In the “extreme” case that the IP I'm looking for, I can't find it in any of the FQDN Domain .txt options https://lists.blocklist.de/
I guess the alternative, in that case, would be to manually “add” that IP in a new blocking rule?

B1P.png

Cheers.

Preview file
19 KB
0 Kudos
the_rock
Legend
Legend
‎2025-04-28 12:17 PM
In response to Matlu

You got it, thats right.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-04-28 06:37 PM

Latest update with lots of links available for net feeds.

Andy

https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events