Thank you 🙂

Btw, just added all 8 feeds to see how many IP addresses were there, showed 234,909 all together, not bad 🙂

Andy

Absolutely!

@the_rock    What is the result if the feed in question on your block rule contains no entries at all (i.e. the feed source becomes empty and the previous cached files on the GW is cleared)?    Does it result in no matches and therefore nothing will hit it?      More fearful of some situation where it starts blocking more than it should be 🙂  

I noticed one in my lab with no entries, but had not seen any such issues as of yet, what you described.

Andy

One thing I will say though, as a word of caution, though those feeds block BUNCH of bad IPs, but it could happen that something is blocked inadvertently where people may need access to the cloud portal. In my experience, its not often, but there is a chance for it.

Andy

https://support.checkpoint.com/results/sk/sk132193

"

...

IP Allow List (Exception List)

The IP whitelist provides a convenient way to allow certain IP addresses to bypass the enforcement actions, that have been defined by threat intelligence feeds.

This document provides instructions for managing IP addresses within the IP white list, also known as the IP exception list.

1. Edit the File:

vi $FWDIR/conf/ip_whitelist.eng

1. Append IP Addresses:

Add the desired IP addresses, one per line.

1. Save Changes:

Ensure you save the file after adding the IP addresses.

Exemption from Enforcement: IP addresses listed in the $FWDIR/conf/ip_whitelist.eng file will not be subject to enforcement actions even if they appear in any of the threat intelligence feeds.

…

“

Question: 

• Is this file located on the Management Server or GW ?
  • If on the Management Server, how do we update it on MaaS ?  The same way as we do with $FWDIR/lib/table.def ?
• What is the syntax ?  One IP per line or IP/mask to allow a network ?
• Can it be Dynamically updated from a Datacenter object from AWS / Azure / GCP ... ?
• How often it is read ?  On a policy push operation ?  I mean, if we include and/or exclude something, when it will start to be enforced with the recent changes ?

Besides that, IMHO information about "IP Allow list" could be included on the Admin Guide, like here (or close) for instance:  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_ThreatPrevention_AdminGuide/...

🖖

Best regards,  

The file is 100% on the mgmt server. Does it get auto updated? Im not so sure about that as per sk. Syntax is simply one IP per line, as mask will always be /32 anyway.

Andy

I believe this guide specifically addresses IoC feeds. Since network feeds are set within regular access drop rules, you only need to create an additional allow rule above it with the relevant objects to serve as an 'exception'.

Thats true, but I wanted to point out with emerg feed, around 15M ip addeesses, its hard to know what should be exempted, unless 100% certain. Im confident stamparm feeds 2-8 are good, no issues. Not saying other 2 are bad, but they do cause cpu/connectivity problems.

Andy

15 million IPs is a bit beyond what we tested for Network Feeds (2 million).
Possible that has something to do with it.

I think so too.

Andy

Hello
Is the “Network Feed” a feature of Management or Firewall?
I am implementing a Linux server that will serve as a “source” to feed a daily list of IPs with a bad reputation, but I wonder if this feature is characteristic of SMS/MDS or GW, because I want to know if the main connectivity that my server should have should be against the administration manager or against the FW?
Thank you

Hey bro,

Technically, its mgmt feature, but it applies to the firewalls. Just make sure that server sits behind the firewall itself.

Andy

The source IP will be the gateway VIP which has the network feed installed on it. I just tested it this week.

It has a Management component, for example the Network Feed object in SmartConsole, but it is primarily a Security Gateway (Firewall) feature, since the Security Gateway is the one that holds all the IP addresses.

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Cont... 

Hello, @Tal_Paz-Fridman 

So, the important thing is that the server has connectivity with the Security Gateway?

Or would you recommend that connectivity be both with the SMS/MDS and with the SG?

Thank you.

As stated in the link I gave, mostly the Security Gateway but if you want to "view" the most updated information about the Network Object in SmartConsole the SMS/MDS should also have access.

Just remove emerg one and samparm 1, others are fine.

Andy

This is super useful info too, since @PhoneBoy mentioned 2 million entries is the limit currently, and emerg net feed has more less, about 15 M entries, so definitely way more than officially supported. Not sure why stamparm 1 feed is causing issues for people, since its less than 200K entried, but we had one customer use stamparm 2-8 feeds and in 4-5 days, they had almost 10M hits, so definitely working well. For the context, I had a customer do this while ago, they are smaller hospital, and they told me in a week, there was almost 100M hits, compated to few thousands with manual IPs they were adding before doing net feeds.

Best,

Andy

Hey, Bro.

In the “extreme” case that the IP I'm looking for, I can't find it in any of the FQDN Domain .txt options https://lists.blocklist.de/
I guess the alternative, in that case, would be to manually “add” that IP in a new blocking rule?

Cheers.