Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
796570686578
Collaborator
Jump to solution

Best Practice to block traffic originating from anonymizers(R81.10)

Hey everyone,

I am looking for some suggestions to block traffic originating from Anonymizer Services like VPNs(NordVPN, Express VPN,...), Proxies, Tor exit nodes, etc. to a specific IP address in the customers DMZ. 

Gateway Version & Management are version R81.10 + Antivirus Blade

Our idea was to subscribe to a service like maxmind or ip2location who offer .csv files with these IP addresses and use them on the gateways to block access from these IPs.

 

But the more I read about all the different features this could be achieved with, the more confused I get.

 

External Custom Intelligence Feeds:

This article from the Admin Guide mentions how to import intelligence feeds in SmartConsole. Under "Limitations" it also mentions the following: 

  • IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.

Does that mean that the gateway checks every connection if it matches an IP from my feed and I cannot define a rule per se to only apply it to a specific destination host in the DMZ?

 

SK132193 describes how to configure feeds and mentions the following  under "Known Limitations":

  • Inbound traffic to a host behind the gateway does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked.

    In R81 and higher versions, this traffic is blocked.

I assume this matches the Limitation from the Admin Guide, that the IoC is matched on every connection? These feeds have a few million entries. If every connection is checked, will there not be an immensive performance drop?

 

SK103154 is an example on how to block traffic coming from Tor nodes.

  • R80.30+ with Anti Virus Blade recommends Custom Intelligence Feeds
  • R81+ without Anti Virus Blade recommends Generic Data Center Objects

Generic Datacenter Objects have a few disadvantages but also the advantage of using them in the rulebase

Disadavantages: 

 

What solution would you suggest?

Thank you !

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If you have a few million IPs, upgrade to R81.20 and use Network Feeds.
Unlike the IOC feeds feature and like the Generic Datacenter objects, these can be used in the Access Policy, which gives you ultimate flexibility.
Further, there are infrastructure improvements in R81.20 that allows more indicators to be supported more efficiently.
R81.10 and earlier will have issues with a large number of indicators in an IOC Feed due to product limitations that were addressed in R81.20.

If an upgrade is not in your immediate future, give your requirements, I would go with a Generic Datacenter object.
A script like the following might be useful in converting your data to the correct format: https://community.checkpoint.com/t5/Scripts/tor2json-bash-script-to-download-TOR-file-and-save-it-in...

View solution in original post

5 Replies
the_rock
Legend
Legend

I will tell you my personal opinion, as I cant and would never speak for anyone else : - ). So, every time I had this sort of issue with any customer, we would end up using built-in apps available via smart console and also custom app group where you can add custom sites (example *facebook.com/*). Other than that, seems your best option is adding IP ranges if mentioned things dont work. I can also say that even TAC suggested the same whenever I had case going for this sort of issue.

Is there a better way? I sure hope so and someone can suggest it, but so far, I had not found anything else.

Cheers mate.

Andy

0 Kudos
garrod
Contributor

Kindly refer to sk132193 Custom Intelligence Feeds , which will coming in handy

0 Kudos
PhoneBoy
Admin
Admin

If you have a few million IPs, upgrade to R81.20 and use Network Feeds.
Unlike the IOC feeds feature and like the Generic Datacenter objects, these can be used in the Access Policy, which gives you ultimate flexibility.
Further, there are infrastructure improvements in R81.20 that allows more indicators to be supported more efficiently.
R81.10 and earlier will have issues with a large number of indicators in an IOC Feed due to product limitations that were addressed in R81.20.

If an upgrade is not in your immediate future, give your requirements, I would go with a Generic Datacenter object.
A script like the following might be useful in converting your data to the correct format: https://community.checkpoint.com/t5/Scripts/tor2json-bash-script-to-download-TOR-file-and-save-it-in...

796570686578
Collaborator

Hey! Thank you very much for the information and sharing your experience! Since R81.20 is not the recommended release just yet, unfortunately we won't be able to install it. So I think we will go with Generic Datacenter objects as of now and upgrade to R81.20 once its the recommended release.

Have a great day!

PhoneBoy
Admin
Admin

The current plan is to make R81.20 "Recommended" in the next several weeks.
However, that will depend on a few factors, including adoption by customers.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events