Network feed

the_rock · ‎2024-04-26

Hey boys and girls,

Happy Friday! Figured would share this, as its super useful, specially for anyone who is not running AV or AB blades on the firewall to block known bad IPs out there. All you do is create new network feed (can only be tested if running R81.20) and then those can be used to block the traffic from those feeds. There are 8 of them and all you do is replace number 1-8 in the link below:

Github link -> https://github.com/stamparm/ipsum

feed example -> https://raw.githubusercontent.com/stamparm/ipsum/master/levels/1.txt

You can create 8 separate network feeds, simply keep replacing numbers sequentially, 1 to 8.

Thanks @delToro1 for sharing this in my other IOC post.

I set it up in my Azure lab and so far, got 140K hits in less than 1 day, that is super impressive even though its Azure, but I got no hosts behind the fw in that lab at all.

Example:

Thanks a bunch as well to Miroslav Stampar for creating this.

https://github.com/stamparm

https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

IMPORTANT NOTE:

PLEASE DONT USE EMERG AND SAMPARM FEED 1 TO BEGIN WITH, since I had few customers having issues with those feeds. Samparm 2-8 are fine, no issues.

Best,

Andy

the_rock · ‎2025-04-28

You got it, thats right.

Andy

the_rock · ‎2025-04-28

Latest update with lots of links available for net feeds.

Andy

https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file

the_rock

Hey guys,

I know post is more than a year old, but found another feed that has probably around 15 mil entried, same as emerg threat one, so be careful if you do decide to use it.

Andy

https://www.spamhaus.org/drop/drop.txt

reference:

http://iplists.firehol.org/

Matlu

Bro,

Have you used an internal server as a “source” to block IPs that “escape” from public Internet sources?

Is it possible to do this?

I have several IPs that I can't find in any of the public sources, and I want to know if we can integrate a Windows/Linux-type server to add the new IPs we need there.

Cheers

the_rock

O yea, worked in my lab just fine.

Andy

Matlu

Can you share an image of how you have configured your server in SmartConsole to achieve this goal, please?

Are you using Windows/Linux?

Do you need a license for this?

Cheers

the_rock

I dont have that server online any more, but literally rule would be that server as source, net feeds as dst, block and then same rule, just other way around, You got my email, be free to message me offline, we can connect that way.

Andy

the_rock

Bro, what exactly was failing for this? Do you have any relevant logs, captures?

Andy

Matlu

Hey
Not exactly.

We want to implement it for the first time because we need to generate massive blocks of IPs and domains with a bad reputation.

In many public sources, our IPs and domains reported by our Monitoring area do not appear, so we want to “optimize” this block.

We want to know if we need a “special” license to use Network Feed, and if we can use a Windows Server, where we can include the txt files (one for IPs and another for domains).

the_rock

Nope, you do NOT need any special license to use it. I have eval in my labs and I have used net feeds for some time, no problems.

Andy

the_rock

Bro, I messaged you offline about this.

Andy

PhoneBoy

Network Feed is considered a basic firewall feature and does not require a specific license.
Refer to the documentation for more details: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

Are you a member of CheckMates?