Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
the_rock
Legend
Legend
Jump to solution

Question in regards to sk167210

Hey guys,

I hope someone might be able to tell me how to fix this, or if not, at least point me in right direction or what to even look for : - )

I followed sk167210 and all is fine, BUT what fails is what I try to create a rule with generic data center I created. I used below link and it does show connected, its from here:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Chassis_AdminGuide/Topics-Chassis-...

https://secureupdates.checkpoint.com/IP-list/TOR.txt

 

Screenshot_1.png

 But when I try add it to the rule itself, below is what I get:

 

Screenshot_2.png

 Any idea why? Also, to add, I cant find single log about it, haha.

Any help is always greatly appreciated 🙂

Btw, found only single community post on this with no responses and cant find much on support site about it either.

Cheers,

Andy

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

The Network Feed option requires R81.20 all around.
Meanwhile, you can use this took to convert IP-TOR into a JSON file: https://community.checkpoint.com/t5/Scripts/tor2json-bash-script-to-download-TOR-file-and-save-it-in... 

View solution in original post

Sorin_Gogean
Advisor

Hello @the_rock ,

 

Like we talked in other occasions, we're using Generic DataCenter Objects, and for that we've adapted the script from (https://github.com/HGrigorov/checkpoint) and we added some extra functions on it.

 

That script collects IP's from those 6 lists and builds a JSON that contains all that data (I've attached the JSON for reference so you can have a look).

# Text for <name> field in JSON file

NAME[1]="TOR_Exit_Nodes"

NAME[2]="TOR_IPBlacklist_Nodes"

NAME[3]="OpenDBL_TOR_Exit_Nodes"

NAME[4]="OpenDBL_TALOS_Nodes"

NAME[5]="OpenDBL_EmergThreats_Nodes"

NAME[6]="OpenDL_Bruteforce_Nodes"

# Download URL

#TOR_URL="https://check.torproject.org/torbulkexitlist"

TOR_URL[1]="https://secureupdates.checkpoint.com/IP-list/TOR.txt"

TOR_URL[2]="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"

TOR_URL[3]="http://www.opendbl.net/lists/tor-exit.list"

TOR_URL[4]="http://www.opendbl.net/lists/talos.list"

TOR_URL[5]="http://www.opendbl.net/lists/etknown.list"

TOR_URL[6]="http://www.opendbl.net/lists/bruteforce.list"

 

If you have questions, let me know.

 

Thank you,

PS: Indeed I could have used IoC Feeds, but I wanted a graphical solution, that would be easier to use . I'll go back and have a look 😊 .

(I remember why I didn't use IoC, because it's used only by AntiBot blades, and we wanted to use in Firewall rules...)

Maybe in the next version upgrade (as we're with R81) we will move to R81.20 and start using Network Feed .

 

View solution in original post

0 Kudos
20 Replies
Tal_Paz-Fridman
Employee
Employee

Hi,

The best practice is to use the Custom Intelligence Feed (IoC Feed) - either from SmartConsole or CLI.

Refer to sk132193 - What is the "Custom Intelligence Feeds" feature?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

How it looks in R81.20 with the ability to test the feed:

2023-02-28 20_03_16-Clipboard.png

0 Kudos
the_rock
Legend
Legend

Thanks @Tal_Paz-Fridman . Here is my question though...considering it shows "connected" in data center object, should it not work to import it in the rule?

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee

I think the Generic Data Center file should be in .json format.

I can check it with owners. If this is correct I'll request to add a validation for this.

Regarding the message (check log file), I'll also ask to have it improved.

Thanks

the_rock
Legend
Legend

K, I think I see what you are saying. Yea, if thats the case, its odd, as I did not get any warning when I put in txt file link. Question @Tal_Paz-Fridman ...do you think there is json version of that txt link?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Convert it as shown here: https://community.checkpoint.com/t5/Scripts/tor2json-bash-script-to-download-TOR-file-and-save-it-in...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

I even did the conversion for you...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend

Thanks so much, will try later! Would you mind send the process how you did it, just curious? I followed the same yesterday, but still failed, so clearly I did it wrong.

0 Kudos
the_rock
Legend
Legend

Hey Guenther,

I just had teams meeting with @Sorin_Gogean and he showed me exactly how this worked, I learned a lot actually. He confirmed that because there is an issue with parsing ipv6 addresses, file you gave could not be imported. Once we used file he provided (no ipv6, all worked fine).

What Im doing now is enabling ipv6 on both my mgmt and gateway and rebooting, so once thats done, will try file you gave and one I converted yesterday and see if it works and update.

Cheers and thanks again so much @Sorin_Gogean , very grateful for all you showed me 🙌🙌🙌

Andy

0 Kudos
the_rock
Legend
Legend

Btw, how did you get to that screen for testing feed connection? I have R81.20 lab

0 Kudos
the_rock
Legend
Legend

K, never mind, got it, yes, works on mine as well, so the only question is if there is json version of that txt link? If so, I think that would probably solve this.

0 Kudos
PhoneBoy
Admin
Admin

That file is not in a format consumable by the Generic Data Center object, which would be JSON.
See: https://support.checkpoint.com/results/sk/sk167210

The Network Feed option in R81.20 should be able to parse this file directly.

0 Kudos
the_rock
Legend
Legend

Thanks @PhoneBoy . So just wondering, is there equivalent JSON format for the txt link I posted? If that exissts, it would most likely work...btw, any idea where I can find that option for networkf eed in R81.20? Have the smart console open, so can test it quick. Also, say if mgmt is R81.20 and lets say gateways on R81 base, would that still work?

0 Kudos
PhoneBoy
Admin
Admin

The Network Feed option requires R81.20 all around.
Meanwhile, you can use this took to convert IP-TOR into a JSON file: https://community.checkpoint.com/t5/Scripts/tor2json-bash-script-to-download-TOR-file-and-save-it-in... 

the_rock
Legend
Legend

Hm, cant seem to find script there, k, may have to check later.

0 Kudos
the_rock
Legend
Legend

K, did conversion, shows connected in data center object, but still cant import it, exact same error. This is all R81.20

0 Kudos
Sorin_Gogean
Advisor

Hello @the_rock ,

 

Like we talked in other occasions, we're using Generic DataCenter Objects, and for that we've adapted the script from (https://github.com/HGrigorov/checkpoint) and we added some extra functions on it.

 

That script collects IP's from those 6 lists and builds a JSON that contains all that data (I've attached the JSON for reference so you can have a look).

# Text for <name> field in JSON file

NAME[1]="TOR_Exit_Nodes"

NAME[2]="TOR_IPBlacklist_Nodes"

NAME[3]="OpenDBL_TOR_Exit_Nodes"

NAME[4]="OpenDBL_TALOS_Nodes"

NAME[5]="OpenDBL_EmergThreats_Nodes"

NAME[6]="OpenDL_Bruteforce_Nodes"

# Download URL

#TOR_URL="https://check.torproject.org/torbulkexitlist"

TOR_URL[1]="https://secureupdates.checkpoint.com/IP-list/TOR.txt"

TOR_URL[2]="https://secureupdates.checkpoint.com/IP-list/IP-blacklist.txt"

TOR_URL[3]="http://www.opendbl.net/lists/tor-exit.list"

TOR_URL[4]="http://www.opendbl.net/lists/talos.list"

TOR_URL[5]="http://www.opendbl.net/lists/etknown.list"

TOR_URL[6]="http://www.opendbl.net/lists/bruteforce.list"

 

If you have questions, let me know.

 

Thank you,

PS: Indeed I could have used IoC Feeds, but I wanted a graphical solution, that would be easier to use . I'll go back and have a look 😊 .

(I remember why I didn't use IoC, because it's used only by AntiBot blades, and we wanted to use in Firewall rules...)

Maybe in the next version upgrade (as we're with R81) we will move to R81.20 and start using Network Feed .

 

0 Kudos
_Val_
Admin
Admin

The format for Generic Datacenter Object has to be json, not txt. I am pretty sure it is the reason of your issue. If you want to use plain txt files, use custom feeds. where the list is properly parsed, as @Tal_Paz-Fridman already mentioned.

 

The TOR list is not in json format

the_rock
Legend
Legend

Thanks Val, yes, thats correct.

0 Kudos
the_rock
Legend
Legend

Just to update on this further, even after enabling ipv6 on both mgmt and gateway (R81.20 lab), still cant import generic data center object, so there is definitely something preventing it. As soon as I remove ipv6 addresses as @Sorin_Gogean showed me, works like a charm.

By the way, for anyone trying to do this, if any issues, as Sorin pointed out, please do below search in the logs (not indicated in the sk)

blade:"CloudGuard IaaS"

THANKS SO MUCH @Sorin_Gogean 

0 Kudos
the_rock
Legend
Legend

Hey guys,

For anyone wanting to use ipv6 IP addresses, I attached the json file that works (tested in the lab). All that had to be done was remove [ and ] characters and that did it. Big thanks to my colleague who even all customers say is the best Linux guru they ever met and its true 🙂

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events