Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cem82
Contributor

Blocking custom IP and domain threat feeds R81.10

Hi

 

We are wanting to block IP and domains from our own threat feed and other sources automatically.  I would have thought simply using antibot blade with various IOC feeds would do the job for IP / domain reputation protections.  However it would appear that is not the case.  At this stage we are not wanting to enable AV blade as well so wondering if there is another easy way to do these blocks and automatically update them every X min without AV blade?

 

I suppose we could do this somehow via API for the creation of the objects and add those to a normal firewall rule but would really rather avoid having to do manual policy push and work out a way to know if there were changes in the first place

0 Kudos
9 Replies
Blason_R
Advisor

Use fwaccel dos deny -l and other such options. If possible then create a linux script and run it with cron or cpd_sched_config

0 Kudos
cem82
Contributor

Thanks for the suggestion, did think about that but seems to only apply for IP not domains as well.  If we have to end up doing this way, would the -N "<Name of deny list>"  appear in traffic logs to identify the particular drops are from this feed and not other drops?

0 Kudos
Blason_R
Advisor

This is right, currently this is a limitation however what I did is I built a DNS specific solution based on DNS RPZ and then maintains a domain lists there. But for IP addresses I use fwaccel dos deny option

0 Kudos
PhoneBoy
Admin
Admin

Either AV or Anti-Bot should suffice to use ioc_feed….provided the feed is in the correct format.
When you say it is not working, what is the precise behavior you expect versus what you observed?
Please provide screenshots/examples of what you configured as well as a sample of the feed(s) you’re using.

R81.20 has a feature called Network Feeds that doesn’t require AV or Anti-Bot.
It should be a little less picky in terms of the file format of the IOCs. 

0 Kudos
cem82
Contributor

When doing a nslookup/dig/ping/http to IP or domain that is in the feed file there is only normal traffic log and nothing from anti bot blade.  We expected that this would be detected/dropped when doing those tests to the sites in the feed files and would only need AB blade enabled since under Protections section these reputation indicators appear as AB blade.  After dealing with TAC have been advised to use IP or Domain reputation based custom feeds you require both AB and AV blades not just AB which was not our understanding.  The same test methods to sites from threatcloud are picked up just fine though and behaving how we'd expected but told custom IOC feeds require both blades.

 

The feed files are simply domain / IP listed one per line with no delimiters (each type in separate file) and configured in smartconsole > indicators with type specified appropriately.  I see they have been fetched by the GW under $FWDIR/external_ioc/<feed name>  As a test TAC asked to enable the AV blade and started getting the behavior we wanted so that rules out the feed file format

 

At this stage we are only wanting to do IP and Domain reputation based drops.  At this stage we are preferring not to enable AV blade as well as not wanting additional load / scan files, only base on reputation if possible.  That's why I'm asking if there's any alternative / easy ways to accomplish this for IP and domains, the fwaccel dos deny may well work via script somehow for IP but not domains.

0 Kudos
PhoneBoy
Admin
Admin

Please PM me the SR in question, because I'm pretty sure it's not accurate that you need both AV and AB enabled for this.
However, AV/AB only block HTTP(S) and DNS by default, so it wouldn't necessarily block a ping either.
What version/JHF are you using?

A Network Feed is definitely the way to go here if you're on R81.20.

0 Kudos
cem82
Contributor

I was very surprised to be told that as well and did suspect ping wouldn't be picked up but thanks for confirming.  I know it used to be for outbound traffic only but is now inbound as well, presume that would be for any port though?

We have been running the debugs on a cluster running R81.10 take 55 but also observe the same issue on one running take 66

0 Kudos
PhoneBoy
Admin
Admin

Inbound as of R81, yes.
It's possible the HTTPS/DNS Only nature of this also changed.

0 Kudos
Scottc98
Contributor

Using the TOR exit node feed as an example (https://secureupdates.checkpoint.com/IP-list/TOR.txt) and with both AV/Bot enabled, I can see ICMP blocked and other non-HTTP ports blocked (NTP as an example) on outbound attempts

I'm on R81.10 Take 78 right now but swear it was same on Take 66 (100% sure on the NTP hits).  

0 Kudos