One inquiry,

If I "uncheck" the checkbox, the Firewall is not able to "block" what is "before the first dot"?

Its all explained in the sk my friend : - )

In layman's terms, if you uncheck it, then it should look up 10 sub-domains as well.Otherwise, it will check ONLY fully qualified domain name.

Andy

Thanks for the clarification, my friend.

PhoneBoy also mentioned another alternative, which is using the "ioc_feeds".

How feasible is it to do this in version R81.10?

Does it require extensive configuration in the Firewall?

Cheers.  🙂

No extra config needed mate 🙂

Andy

Hello

I don't understand, but I am reading the official Checkpoint documentation.

The ioc_feeds is part of the Threat Prevention, as I understand, but is it "mandatory" to activate any of the TP blades?

Thanks. 🙂

ioc_feeds needs TP blades yes (refer: sk132193).

But is it necessary to activate the 3 known TP blades, such as "AV, Anti-Bot, and IPS"?

Or is it enough to enable 1/3 of these blades?

Cheers.

Im almost positive you need AV enabled, not sure if other 2 are a must.

Andy

AV and Anti-Bot are required to use ioc_feeds.

I could have sworn I only enabled AV in the lab to use ioc feeds, but will double check tomorrow.

Andy

Hello,

Do you have available a "step by step" guide to work with the IOC_FEEDS?

Do the AV and AntiBot blades need to work with any particular profile?

Or is it irrelevant the profile they work with?

Thanks for your support

Ola bro,

Profile does not matter, because in my TP profile, I do NOT have anything but IPS enabled, but I have av and ab blades on in the object properties. If you need screenshots, I can "slap" them together and send. Let me know.

Cheers amigo.

Andy

Hi, Andy.

Do you have a "csv" format to help me, to know how to "customize" my file, if we want to block malicious URLs.

We want to block both Malicious IPs (In a .txt file) and Malicious URLs, with the IOCs.

I understand that to block the IPs, I would only need connectivity between my GW and the PC that will "host" the .txt file, right?

Thanks for any helpful comments.

To make this simple, you can even use generic data center object and put a file anywhere on the mgmt server, once done, right click, import and then use those objects in the policy. I attached the file, as well as doc with screenshots.

Andy

Andy,

I am replicating your example.
Unfortunately, I am not familiar with "JSON".

I understand that this extension, I can open it with a notepad, and there, manually, I can add all the malicious IPs that our monitoring area reports, right?

What I can not see in your screenshots, and I want to revalidate is, it is not necessary to create a security rule, when we work with this method, right?

Greetings

Yes, forgot to put that in, you need a rule, 100%...otherwise, those feeds are USELESS lol. Well, not useless, but without a rule, it wont do much

Andy

That JSON extension, I can open it with a notepad, and there, I can add all the volume of malicious IPs that report to me, right?

The model to block malicious URLs, would be the same as that of the IPs? Or does it vary a lot?

Maybe you have a help template for URLs, please?

Thanks for your help.

Dont bother with notepad, no need. Just do what I mentioned. Right click on DC object once path is there and tested (json file has to be on mgmt server), and then import, easy as that.

I would contact TAC if you need further help. They can probably show you all this in 2 minutes.

Andy

Buddy,

If I understand the procedure, what I still have a doubt about is when I will have to add hundreds of new IPs that will report to us in the future.

These new IPs, I suppose, have to be added somehow to the object you have shown me.

Something new I am discovering is that the "Object Categorie -> CLOUD" is available from version R81.10, isn't it?

In the R81 version, I can't find it anywhere, hahaha.

Thats the point of ioc feeds, you do NOT update them manually, its updated automatically every 5 mins.

Andy

Now it makes more sense to use it.

Can we be sure that all malicious IPs are blocked?

I understand that Checkpoint will automatically add each IP that it "catalogs" as malicious in the file that is hosted in the SMS, correct?

If it is necessary to block any IP that the IOC is "escaping", this can be done manually?

Not to sound ironic now, but as one of the most brilliant minds ever, Albert Einstein, once said...everything in life is relative. Following that logic, its hard to say whether all malicious IPs would be blocked. 

Think of it this way...maybe what PAN or FGT or Cisco consider malicious, CP does not...or the other way around, or something in between.

If you are worried about that aspect, only other logical option is to keep adidng IPs manually into network group and then block it that way

So example like below (from mgmt cli)

mgmt_cli add host name "BAD_185.206.27.13" ip-address "185.206.27.13" --format json
mgmt_cli add host name "BAD_162.208.16.20" ip-address "162.208.16.20" --format json
mgmt_cli add host name "BAD_89.248.165.131" ip-address "89.248.165.131" --format json
mgmt_cli add host name "BAD_185.206.24.70" ip-address "185.206.24.70" --format json
mgmt_cli add host name "BAD_162.208.16.14" ip-address "162.208.16.14" --format json
mgmt_cli add host name "BAD_87.251.75.45" ip-address "87.251.75.45" --format json

Your comment makes sense.

Here we have a team that focuses on "alerting us" to malicious IPs that they constantly monitor, with their own resources (I believe one of those resources they use is Shodan, and many others).

So, maybe those IPs that they "demand" to block, Checkpoint's IOC does not block them, that's why I ask the question.

I understand from your last example, that if I decide to add a certain amount of IPs manually, these IPs will be "tied" to the file that I have hosted in the SMS (Fomato JSON), correct?

If you want to add yours, you have to do it manually, they dont be tied to ioc feed.

Andy,

The CLOUD object, since which version is it available?

R81.10 or R81.20?

Because I have updated the SMS to version R81.10, and this option still does not appear in the SmartConsole.

You need to research things my friend, its easy to find : - )

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

To also add, to use generic data center objects, you do NOT need av/ab blades.

Andy

Hi, Buddy

I have managed to replicate your recommendation so far.

I have not enabled AV/ABOT in the Firewall.
Anyway, you tell me that it is not necessary to do so, right?

I only have one doubt; how does the Firewall "feed" the new malicious IPs that exist?

I understand that the intention is to work this way, is it to be automatic and transparent to us as users, or is it going to be necessary that we still "mess" with the configuration?

Greetings.