i have 2000 plus list of IP addresses, how can i block them all bi directional blocking in my checkpoint firewall without typing all those individually?
How to block traffic coming from known malicious IP addresses
The SmartConsole CLI can be directly accessed from within SmartConsole by clicking the icon on the bottom left corner.
SmartConsole -> Management CLI:
Just add the required syntax to your IP addresses to create host objects and one host group for them. Copy & Paste this to your SmartConsole CLI in order to have a group containing all block IPs created. Then create a rule that blocks all access to this group. Done.
fw samp is your friend.
sim dropcfg is your friend.
Great summary Danny!
This is awesome.
but that one is around 2000 plus IP addresses, is there a way for me not to
manually key in all those IP addresses? may using notepad or csv file?
Using the above methods, you can write a script to read from whatever file you have the IP addresses into.
You could also use some of the scripts that are already present on CheckMates to help you with this.
This is just one example: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.25.01 and later)
lets say i already put all the 2000 plus ip addresses in a csv file, then i
type this command "cli_api_import_objects_from_csv.sh" i have a question,
where i must save my csv file in my local drive for the fw to ask me the
location of the file to be imported? and also smart console i just fire up
the CLI then type the command cli_api...?
please enlighten me
On Fri, Jan 19, 2018 at 10:34 AM, Dameon Welch Abernathy <
Where the file should be saved for this particular script is described in the lengthy post with that script, please read it carefully.
It's meant for bulk import/export of a lot of objects, so may not be the best tool for your job.
Another possible option: R80 PowerShell Module
But a simpler option is to just call the CLI directly and import the CSV.
This process isn't nearly as well documented as I thought it would be, but we're about to fix that
First of all, the CSV file should be in the correct format.
The first row refers to parameters you would pass the add host command as documented here: Check Point - Management API reference for add host
The minimum parameters needed are name and ip-address.
Since you want to put them in a group, might as well do that as they are created.
For this example, the objects will be added to a group called BlockGroup:
If the group doesn't already exist, you can use the following CLI command on the management server to create it first: mgmt_cli -r true add group name BlockGroup
To then import the CSV file, use the following command on the management server, which reads the file from the current directory: mgmt_cli -r true add host --batch import.csv
Note: You will probably need to break up the CSV file into smaller chunks (no more than 500 items per file).
Otherwise you may experience issues as described here: Creating multiple object via CSV
So every ip address will be host/object? therefore, 2000 host?
Is there any easiest way wherein we just put those list of IP addresses then automatically blocked. And if there is a false-positive, we can also easily removed that IP address in the list.
With this method, there will indeed be 2000 host objects created and added to a group used in directionnal blocking rule. If you do not want to create objects, you may have a look at SAM rules (here: How to create and view Suspicious Activity Monitoring (SAM) Rules).
SAM rules does not need to create an object, you can add the IP addresses directly in the blocking rules, monitore them, and remove them.
However, SAM rules are CPU intensive. So you better use a traditionnal security policy rule and a group of hosts object. Sam rules should only be used in emergency conditions (as they do not need a policy installation to be added or removed), and IP block should be move to your security policy rule as fast as you confirm there is no false positive.
I hope this helps,
is there a way not to manually typing all those 2000 plus different IP
addresses to be part of the host object?
On Fri, Jan 19, 2018 at 3:56 PM, Bruno LABOUR <firstname.lastname@example.org>
For SAM rules? The KB shows there is a cli comand "fw sam_policy" that you could use with a script to parse your inject everything. However, i would not recommand you to use SAM to block 2000 IP addresses when you can easily do it also with either mgmt_api or dbedit scripts depending on the version you are running.
All the given solution are script-capable or bulk by nature, so i do not catch you very well.
Excellent point about CPU implications Bruno. Very important for large and/or heavily loaded environments when every CPU % counts. Maybe Danny Jung could update original article with CPU impact for each of the options. Just for clarity
You should probably use fw samp instead, which is SecureXL friendly (SAM rules are not).
And to Dirk Casomo's question, you would write a script that reads your file of IPs, executing the necessary commands.
Or use the scripts in the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog
i try typying this command "*mgmt_cli -r true add group name BlockGroup" on
the management server CLI console, but invalid command, also in expert mode
bash command not found?..hhow to execute this? im using R77.30 smart
On Sat, Jan 20, 2018 at 12:19 AM, Bruno LABOUR <email@example.com>
mgmt_cli command is only in R80 and later.
In R77.30 you will have to script this using dbedit or fw samp.
so for this matter i am using r77.30 can you please provide me the script
for me to import the csv file with 2500 plus hosts to do away with manual
typing of those different P addresses as network objects HOST. thank you
On Mon, Jan 22, 2018 at 11:40 PM, Dameon Welch Abernathy <
Given that you're using R77.30, your best bet would be to use the first method suggested by Danny Jung in his original response to your message: How to block traffic coming from known malicious IP addresses
It is definitely the easiest to automate on your release and will block things fairly efficiently.
This "block list" will not show up in the rulebase at all but also does not require a policy push to modify the list, either.
As I mentioned, you could also automate with dbedit as well.
This will require you to write a specific script for your needs, however, as I'm not sure one is ready made for the purpose you describe.
It would have to be customized a bit to your environment as well.
Follow up question, Is there a limit with regards to object? How many object we can create in R80.10 and R77.30.
@Dameon Welch Abernathy
example i type the command in the fw console , mgmt_cli -r true add host --batch import.csv do i still need to put the path of the csv file which is on my desktop?
The command is executed on the management station, not the firewall.
The CSV file would need to be uploaded to the management station (with scp or similar).
If you do not run the command from the same directory that contains import.csv, you will have to enter the path to it.
if i have a standalone setup using 1 firewall, you mean my pc has installed
the smartdashboard on it, then the CSV is on the desktop save. is ok
already, then ill jus include the file path?
On Mon, Jan 22, 2018 at 12:18 AM, Dameon Welch Abernathy <
It would have been better had this question not been posted a few times in unrelated threads.
However I will also add to what Danny Jung has said that if you're not using R80+ management, you can create objects by CLI using dbedit: Using a dbedit script to create new network objects and network object groups
You would create the relevant network objects, add them to a group, and use that group in the rulebase with a "drop" rule.
I saw this alternative solution to list based block : Dynamic Block Lists for Check Point firewalls
It may provide an additional resource for learning how to approach this problem.
I can suggest sk103154 How to block traffic coming from known malicious IP addresses, this also could help !
This is the very first link I provided in my initial response.
Sorry, i did not see that the provided link pointed to the sk103154 :-(
Retrieving data ...