This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2021-10-06 11:52 PM

Custom intelligence feed and TOR with our internal CA

Hi

 

We are looking at implementing either ioc_feeds or TOR to block from a custom feed on R80.30.  This feed is hosted on an internal server with certificate issued by our internal CA.  How can we get the GW (and MDM if we use TOR) to trust those?  I have tried going into Servers > More > Trusted CA and imported the root and intermediate certificates and installing database/install policy but when doing curl_cli still doesn't like the cert.  I'm not in a position at this point to fully implement the features but trying to get as much prep done as I can.  I see for custom intelligence feeds we could do export EXT_IOC_NO_SSL_VALIDATION=1 but think probably best to just trust our CA and also can't find anything if we go with the TOR option.

 

We don't currently have antibot/antivirus enabled and concerned about the added load etc of enabling either of these to do the custom intelligence feed option.  Is there any other way to do domain since it appears TOR option only does IP?

 

Thanks

0 Kudos
7 Replies
Mikael
Employee Employee
Employee
‎2021-10-07 02:06 AM

Hi,

As far as I know curl (curl_cli) has it's own repository/bundle of certs and that's why you still get the warning when testing with curl_cli. https://curl.se/docs/sslcerts.html 

The custom IOC does need AV/AB enabled. Without giving us some info on the environment it will be hard to provide a guesstimate of the added load...

I assume that you have checked sk103154 as that provides an alternative way to drop traffic using SecureXL and SAM.

I also remember having used http://opendbl.net/#index.html many years ago...

0 Kudos
cem82
Contributor
‎2021-10-08 12:09 AM
In response to Mikael

Thanks for that but my main query is that I presume if the CA isn't trusted that when we do set up the TOR feeds etc that it won't work

0 Kudos
Tobias_Moritz
Advisor
‎2021-10-08 04:58 AM
In response to cem82

I had the same problem and asked TAC about a year ago. The response was:

We have an official, tested procedure for adding a trusted CA for IOC feeds (an SK about this subject will be released shortly):

1. Export the relevant CA in Base64 format.
2. Copy the exported CER file to the gateway.
3. Create a new bundle file for IOC trusted CAs:
# cp $FWDIR/database/ca_bundle.pem $FWDIR/database/ioc_ca_bundle.pem
Please note: For adding more than one trusted CA, there's no need to repeat this step.
4. Append the new trusted CA into the file:
# dos2unix [CER file]
# cat [CER file] >> $FWDIR/database/ioc_ca_bundle.pem
5. Change IOC feeds to read the trusted CAs from the new file:
a. Backup the current $FWDIR/conf/ioc_feeder.conf:
# cp $FWDIR/conf/ioc_feeder.conf $FWDIR/conf/ioc_feeder.conf_BKP
b. Edit $FWDIR/conf/ioc_feeder.conf:
# vi $FWDIR/conf/ioc_feeder.conf
c. Change the following line:
"ioc_bundle": "\/database\/ca_bundle.pem",
To:
"ioc_bundle": "\/database\/ioc_ca_bundle.pem",

Not sure if the mentioned sk is public now.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-10 04:45 PM
In response to Tobias_Moritz

The official SK for this: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
cem82
Contributor
‎2021-10-10 05:17 PM
In response to PhoneBoy

Awesome thanks for that 🙂  Sorry not sure why I didn't see that when searching.  Is there a similar one for TOR?  Couldn't find one for it either and with another search can't?

0 Kudos
Ben_s
Employee
Employee
‎2021-10-11 06:58 PM
In response to cem82

@PhoneBoy @cem82 

Having a quick look (I maybe WAY off), Phoneboy can double check me,  sk103154 shell scripts use SAM (Suspicious Activity Monitoring) rules in the script to block the IP’s and uses curl_cli as part of the tool set to pull the IP addresses from the selected file or URL. Since the scripts job is to pull from the resource, then create the SAM rules, I believe you would need to modify the shell script.

Now, I’m not sure what you would need to do, my guess would be to add “-k” to the “Curl_cli” rule or change the ca bundle it uses.

“curl_cli -s --cacert $CPDIR/conf/ca-bundle.crt --retry 10 --retry-delay 60 $url | dos2unix | grep -vE '^$'| convert > $cache_file_name”

0 Kudos
Nir_Naaman
Collaborator
‎2021-10-11 09:49 PM
In response to Ben_s

Slight correction to the above - sk103154 doesn't use SAM rules (sk112061). SAM is a managed facility (from SmartConsole) that communicates with the gateways to provision block rules. Rather, sk103154 leverages the Rate Limiting rules for DoS Mitigation ("fw samp") feature for implementing large scale, high performance network blocking by IP. 

Do note that sk103154 explicitly recommends that customers who are running on R81 or above should prefer the newer sk132193 Custom Intelligence Feeds. Check out the Smart Intel Admin Guide for a section on how to automate TOR feed management for sk132193.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events