cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Iron

Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

Hello everyone,

my configuration is the following:

- A cluster of three security gateways (R80.20)

- Three Virtual Systems (configured on the three security gateways as follow: active/standby/backup)

I already activated the IOC Feed functionality on one of my VS to block outgoing traffic through Anti-Bot & Anti-Virus blades (sk132193), but I'd like to block incoming malicious traffic as well. I read the sk103154 documentation, which says the script must be ran on the management server.

I followed all steps, but when I run the script, it returns the following error:

[Expert@xntfw-pmgt1:0]# ./ip_block_activate.sh -a on -g gw_list -f feed_urls -s /home/admin/blacklist/ip_block.sh
Error: could not retrieve FWDIR from 10.100.97.101
Error: could not retrieve FWDIR from 10.100.97.101

(10.100.97.101 is the VS' IP)

Indeed, if I run the command responsible of that error into the script, I don't receive any output:

[Expert@xntfw-pmgt1:0]# cprid_util -server 10.100.97.101 getenv -attr "FWDIR"

[Expert@xntfw-pmgt1:0]#

but, if I run the same command with the management IP of the Security Gateway, then it gives me the following output:

[Expert@xntfw-pmgt1:0]# cprid_util -server 192.168.77.192 getenv -attr "FWDIR"
/opt/CPsuite-R80.20/fw1

So... is this functionality available for VSX environments?

Thanks,
Francesco

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

One more suggestion. You can create a dynamic object and then fill it with output of https://secureupdates.checkpoint.com/IP-list/TOR.txt feed via GW side script. Then, use that object in a drop rule on top of the policy. Also, that should be done on VS context.

You can take bits and pieces from Office365 script here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Basic-script-for-importing-IP-Add...

I still think leveraging MGMT API is easier. Set an empty group, repopulate it with TOR from time to time, publish, push policy. 

 

View solution in original post

0 Kudos
12 Replies
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

I can see you are running this in VS0 content. That is the first mistake. Also, use the absolute path for VS FWDIR folder

0 Kudos
Highlighted
Iron

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

I'm running in VS0 because that is the management server.

screen.png

0 Kudos
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

Got it, you are correct.

 

MDS or SMS? If former, you have to specify mdsenv first.

Also, the SK does not mention VSX among supported targets. I have reached to the case owner for some clarification.

0 Kudos
Highlighted
Iron

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

SMS.

Ok, thanks. I'll wait for any news.

0 Kudos
Highlighted
Iron

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

Hello,

have you received any news?

Thank you very much,
Francesco

0 Kudos
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

Not just yet, still waiting for the reply. Thanks for your patience. 

0 Kudos
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

After reviewing the script, it is based on the physical GW context. Per VS modification is possible, but I do not find it too practical.

Please consider using regular SAM rules instead https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Highlighted
Iron

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

@Val_Loukine: thank you. Yes, I could use SAM rules, but things are a bit different in that case. I mean, it is supposed to work on monitoring, not on feeds.

May you please share the VS modification for the sk103154?

Thanks again for your support!
Francesco

0 Kudos
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

The script relies on SAM rules, that is the first fact. It creates SAM rules from the feed every 20 minutes and deletes the old ones. Everything is done assuming it is a physical FW, not VSX, running on Gaia. VSX mode is not verified, so it tries to run and fails for you.

You need a completely different method for VSX. The tool should be completely re-written.

So coming to your original question, this tool is not supported for VSX. If you need something automated, take the feed and set up block rules through MGMT API, or, as already suggested, use SAM rules. 

0 Kudos
Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

One more suggestion. You can create a dynamic object and then fill it with output of https://secureupdates.checkpoint.com/IP-list/TOR.txt feed via GW side script. Then, use that object in a drop rule on top of the policy. Also, that should be done on VS context.

You can take bits and pieces from Office365 script here: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Basic-script-for-importing-IP-Add...

I still think leveraging MGMT API is easier. Set an empty group, repopulate it with TOR from time to time, publish, push policy. 

 

View solution in original post

0 Kudos
Highlighted
Iron

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

Thank you @Val_Loukine . I will try with MGMT API.

Highlighted

Re: Blocking malicious IP addresses (sk103154) in VSX

Jump to solution

The SK now says: Not supported on VSX Gateway and on Scalable Platforms.

As it should. Just FYI

0 Kudos