This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-04-26 09:21 AM

Network feed

Hey boys and girls,

Happy Friday! Figured would share this, as its super useful, specially for anyone who is not running AV or AB blades on the firewall to block known bad IPs out there. All you do is create new network feed (can only be tested if running R81.20) and then those can be used to block the traffic from those feeds. There are 8 of them and all you do is replace number 1-8 in the link below:

Github link -> https://github.com/stamparm/ipsum

feed example -> https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt

You can create 8 separate network feeds, simply keep replacing numbers sequentially, 1 to 8.

Thanks @delToro1 for sharing this in my other IOC post.

I set it up in my Azure lab and so far, got 140K hits in less than 1 day, that is super impressive even though its Azure, but I got no hosts behind the fw in that lab at all.

Example:

Screenshot_1.png

Thanks a bunch as well to Miroslav Stampar for creating this.

https://github.com/stamparm

 

Best,

 

Andy

(1)
12 Replies
PhoneBoy
Admin
Admin
‎2024-04-26 10:58 AM

Nice one!

the_rock
Legend
Legend
‎2024-04-26 10:59 AM
In response to PhoneBoy

Thank you 🙂

0 Kudos
the_rock
Legend
Legend
‎2024-04-26 11:21 AM
In response to PhoneBoy

Btw, just added all 8 feeds to see how many IP addresses were there, showed 234,909 all together, not bad 🙂

Andy

0 Kudos
delToro1
Contributor
‎2024-04-29 12:57 AM

So cool!! 😉

the_rock
Legend
Legend
‎2024-04-29 03:54 AM
In response to delToro1

Absolutely!

0 Kudos
the_rock
Legend
Legend
‎2024-04-30 04:55 AM

Just to add, I also found below, which probably has millions of bad IP addresses, as it contains LOTS of /16 subnets. I did a search and saw there was 131 entries for /16, so right there thats 8.5 million, plus remaining /21,/22,/23,/17 etc...would not be surprised its close to 15 M all together.

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Best,

Andy

0 Kudos
Scottc98
Advisor
‎2024-05-01 09:57 AM
In response to the_rock

@the_rock    What is the result if the feed in question on your block rule contains no entries at all (i.e. the feed source becomes empty and the previous cached files on the GW is cleared)?    Does it result in no matches and therefore nothing will hit it?      More fearful of some situation where it starts blocking more than it should be 🙂  

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-05-01 11:32 AM
In response to Scottc98

I noticed one in my lab with no entries, but had not seen any such issues as of yet, what you described.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-05-01 11:45 AM
In response to Scottc98

One thing I will say though, as a word of caution, though those feeds block BUNCH of bad IPs, but it could happen that something is blocked inadvertently where people may need access to the cloud portal. In my experience, its not often, but there is a chance for it.

Andy

0 Kudos
rrbranco
Collaborator
Collaborator
‎2024-07-04 08:42 AM
In response to the_rock

https://support.checkpoint.com/results/sk/sk132193

"

...

IP Allow List (Exception List)

The IP whitelist provides a convenient way to allow certain IP addresses to bypass the enforcement actions, that have been defined by threat intelligence feeds.

This document provides instructions for managing IP addresses within the IP white list, also known as the IP exception list.

  1. Edit the File:

vi $FWDIR/conf/ip_whitelist.eng

  1. Append IP Addresses:

Add the desired IP addresses, one per line.

  1. Save Changes:

Ensure you save the file after adding the IP addresses.

Exemption from Enforcement: IP addresses listed in the $FWDIR/conf/ip_whitelist.eng file will not be subject to enforcement actions even if they appear in any of the threat intelligence feeds.

 

Question: 

  • Is this file located on the Management Server or GW ?
    • If on the Management Server, how do we update it on MaaS ?  The same way as we do with $FWDIR/lib/table.def ?
  • What is the syntax ?  One IP per line or IP/mask to allow a network ?
  • Can it be Dynamically updated from a Datacenter object from AWS / Azure / GCP ... ?
  • How often it is read ?  On a policy push operation ?  I mean, if we include and/or exclude something, when it will start to be enforced with the recent changes ?

 

 

 

Besides that, IMHO information about "IP Allow list" could be included on the Admin Guide, like here (or close) for instance:  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

 

🖖

Best regards,  

 

0 Kudos
the_rock
Legend
Legend
‎2024-07-04 09:02 AM
In response to rrbranco

The file is 100% on the mgmt server. Does it get auto updated? Im not so sure about that as per sk. Syntax is simply one IP per line, as mask will always be /32 anyway.

Andy

0 Kudos
George_Ellis
Advisor
‎2024-09-16 06:30 AM

Hey Andy,

Did you create the Network Feed objects as globals or strictly local (Generic DC Obj do that)?

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events