Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dirk_Casomo
Contributor

list of different IP addresses to be blocked

hi,

i have 2000 plus list of IP addresses, how can i block them all bi directional blocking in my checkpoint firewall without typing all those individually?  

31 Replies
Danny
Champion Champion
Champion

Method 1

How to block traffic coming from known malicious IP addresses

Method 2

The SmartConsole CLI can be directly accessed from within SmartConsole by clicking the icon on the bottom left corner.

 

SmartConsole -> Management CLI:

 

Just add the required syntax to your IP addresses to create host objects and one host group for them. Copy & Paste this to your SmartConsole CLI in order to have a group containing all block IPs created. Then create a rule that blocks all access to this group. Done.

Method 3

fw samp is your friend.

Method 4

sim dropcfg is your friend.

Kaspars_Zibarts
Employee Employee
Employee

Great summary Danny! 

0 Kudos
Tomer_Sole
Mentor
Mentor

This is awesome.

0 Kudos
Dirk_Casomo
Contributor

but that one is around 2000 plus IP addresses, is there a way for me not to

manually key in all those IP addresses? may using notepad or csv file?

0 Kudos
PhoneBoy
Admin
Admin

Using the above methods, you can write a script to read from whatever file you have the IP addresses into.

You could also use some of the scripts that are already present on CheckMates to help you with this.

This is just one example: CLI API Example for exporting, importing, and deleting different objects using CSV files (v 00.25.01...

0 Kudos
Dirk_Casomo
Contributor

Hi,

thank you!

lets say i already put all the 2000 plus ip addresses in a csv file, then i

type this command "cli_api_import_objects_from_csv.sh" i have a question,

where i must save my csv file in my local drive for the fw to ask me the

location of the file to be imported? and also smart console i just fire up

the CLI then type the command cli_api...?

please enlighten me

On Fri, Jan 19, 2018 at 10:34 AM, Dameon Welch Abernathy <

0 Kudos
PhoneBoy
Admin
Admin

Where the file should be saved for this particular script is described in the lengthy post with that script, please read it carefully. 

It's meant for bulk import/export of a lot of objects, so may not be the best tool for your job.

Another possible option: R80 PowerShell Module 

But a simpler option is to just call the CLI directly and import the CSV.

This process isn't nearly as well documented as I thought it would be, but we're about to fix that Smiley Happy

First of all, the CSV file should be in the correct format.

The first row refers to parameters you would pass the add host command as documented here: Check Point - Management API reference for add host  

The minimum parameters needed are name and ip-address.

Since you want to put them in a group, might as well do that as they are created.

For this example, the objects will be added to a group called BlockGroup:

name,ip-address,groups.1

host1,192.0.2.1,BlockGroup

host2,192.0.2.2,BlockGroup

host3,192.0.2.3,BlockGroup

If the group doesn't already exist, you can use the following CLI command on the management server to create it first: mgmt_cli -r true add group name BlockGroup

To then import the CSV file, use the following command on the management server, which reads the file from the current directory: mgmt_cli -r true add host --batch import.csv

 

Note: You will probably need to break up the CSV file into smaller chunks (no more than 500 items per file).

Otherwise you may experience issues as described here: https://community.checkpoint.com/message/6809-re-creating-multiple-object-via-csv 

0 Kudos
Christopher_Ta1
Contributor

So every ip address will be host/object? therefore, 2000 host?

Is there any easiest way wherein we just put those list of IP addresses then automatically blocked. And if there is a false-positive, we can also easily removed that IP address in the list.

Thanks

0 Kudos
Bruno_LABOUR
Participant

Hello Christopher,

With this method, there will indeed be 2000 host objects created and added to a group used in directionnal blocking rule. If you do not want to create objects, you may have a look at SAM rules (here: How to create and view Suspicious Activity Monitoring (SAM) Rules).

SAM rules does not need to create an object, you can add the IP addresses directly in the blocking rules, monitore them, and remove them.

However, SAM rules are CPU intensive. So you better use a traditionnal security policy rule and a group of hosts object. Sam rules should only be used in emergency conditions (as they do not need a policy installation to be added or removed), and IP block should be move to your security policy rule as fast as you confirm there is no false positive.

I hope this helps,

Regards.

Dirk_Casomo
Contributor

is there a way not to manually typing all those 2000 plus different IP

addresses to be part of the host object?

On Fri, Jan 19, 2018 at 3:56 PM, Bruno LABOUR <donotreply@checkpoint.com>

0 Kudos
Bruno_LABOUR
Participant

For SAM rules? The KB shows there is a cli comand "fw sam_policy" that you could use with a script to parse your inject everything. However, i would not recommand you to use SAM to block 2000 IP addresses when you can easily do it also with either mgmt_api or dbedit scripts depending on the version you are running.

All the given solution are script-capable or bulk by nature, so i do not catch you very well.

0 Kudos
Christopher_Ta1
Contributor

Thanks Bruno

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Excellent point about CPU implications Bruno. Very important for large and/or heavily loaded environments when every CPU % counts. Maybe https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd‌ could update original article with CPU impact for each of the options. Just for clarity Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin

You should probably use fw samp instead, which is SecureXL friendly (SAM rules are not).

And to Dirk Casomo‌'s question, you would write a script that reads your file of IPs, executing the necessary commands.

Or use the scripts in the following SK: How to export Check Point logs to a Syslog server using CPLogToSyslog 

Dirk_Casomo
Contributor

i try typying this command "*mgmt_cli -r true add group name BlockGroup" on

the management server CLI console, but invalid command, also in expert mode

bash command not found?..hhow to execute this? im using R77.30 smart

dashboard*

On Sat, Jan 20, 2018 at 12:19 AM, Bruno LABOUR <donotreply@checkpoint.com>

0 Kudos
PhoneBoy
Admin
Admin

mgmt_cli command is only in R80 and later.

In R77.30 you will have to script this using dbedit or fw samp. 

0 Kudos
Dirk_Casomo
Contributor

so for this matter i am using r77.30 can you please provide me the script

for me to import the csv file with 2500 plus hosts to do away with manual

typing of those different P addresses as network objects HOST. thank you

On Mon, Jan 22, 2018 at 11:40 PM, Dameon Welch Abernathy <

0 Kudos
PhoneBoy
Admin
Admin

Given that you're using R77.30, your best bet would be to use the first method suggested by Danny Jung‌ in his original response to your message: How to block traffic coming from known malicious IP addresses 

It is definitely the easiest to automate on your release and will block things fairly efficiently.

This "block list" will not show up in the rulebase at all but also does not require a policy push to modify the list, either.

As I mentioned, you could also automate with dbedit as well.

This will require you to write a specific script for your needs, however, as I'm not sure one is ready made for the purpose you describe.

It would have to be customized a bit to your environment as well.

Christopher_Ta1
Contributor

Follow up question, Is there a limit with regards to object? How many object we can create in R80.10 and R77.30.

0 Kudos
Dirk_Casomo
Contributor

@Dameon Welch Abernathy

example i type the command in the fw console , mgmt_cli -r true add host --batch import.csv do i still need to put the path of the csv file which is on my desktop?

0 Kudos
PhoneBoy
Admin
Admin

The command is executed on the management station, not the firewall.

The CSV file would need to be uploaded to the management station (with scp or similar).

If you do not run the command from the same directory that contains import.csv, you will have to enter the path to it.

0 Kudos
Dirk_Casomo
Contributor

if i have a standalone setup using 1 firewall, you mean my pc has installed

the smartdashboard on it, then the CSV is on the desktop save. is ok

already, then ill jus include the file path?

On Mon, Jan 22, 2018 at 12:18 AM, Dameon Welch Abernathy <

0 Kudos
kyungho_park
Participant

Thanks for your specialist comments. That is i wanted to find.

God bless you.

0 Kudos
PhoneBoy
Admin
Admin

It would have been better had this question not been posted a few times in unrelated threads.

However I will also add to what Danny Jung‌ has said that if you're not using R80+ management, you can create objects by CLI using dbedit: Using a dbedit script to create new network objects and network object groups 

You would create the relevant network objects, add them to a group, and use that group in the rulebase with a "drop" rule.

0 Kudos
Eric_Beasley
Employee
Employee

I saw this alternative solution to list based block : https://community.checkpoint.com/docs/DOC-2002

It may provide an additional resource for learning how to approach this problem.

G_W_Albrecht
Legend
Legend

I can suggest sk103154 How to block traffic coming from known malicious IP addresses, this also could help !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Danny
Champion Champion
Champion

This is the very first link I provided in my initial response.

0 Kudos
G_W_Albrecht
Legend
Legend

Sorry, i did not see that the provided link pointed to the sk103154 😞

CCSE CCTE CCSM SMB Specialist
0 Kudos
Aaron_Valenta
Participant

Can anyone tell me more about the use of the dynamic_objects command on the gateway? Looks like it is used under the covers of the https://community.checkpoint.com/docs/DOC-2002 which was mentioned above.

My specific use case is an R80.10 management server and R77.30 gateway.

I have been using SAM rules and refreshing hourly but the list is about to grow to a 1,000 (from ~350) and want to be cautious of resource utilization. Will use of dynamic object in management with dynamic_objects command on gateway increase CPU and/or Memory significantly? How does it compare to SAM rules (better on resources or worse)? This looks like a promising alternative to SAM rules and curious what others' experiences are? SAM rules have worked well so far but weary about where the tipping point is.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events