Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Blacklisting rogue IPs

Jump to solution

We are stablish soc monitoring in our setup and recently we noticed around 800 IPs hitting stealth and default deny rules.. i intend to blacklist these IPs by creating an incoming and outgoing deny acl at the top for these..my question is : is this the right approach to blacklist rogue IPs and is there any script or way to configure blacklisting for 800 IPs at once?

0 Kudos
1 Solution

Accepted Solutions
Juan_
Collaborator

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

16 Replies
Danny
Champion
Champion

I recommend the following thread (read until the end) :

HowTo: Block IoT scanners like Shodan, Censys, Shadowserver, PAN Expanse etc.

 

LostBoY
Advisor

This is very helpful.. something i can definitely include in my setup. However, right now i am looking to block a list of ip addresses shared by SOC but i am not sure what is the most efficient way to do so

0 Kudos
G_W_Albrecht
Legend
Legend
Danny
Champion
Champion

As @LostBoY mentioned SOC monitoring he is most likely interested in IoC Management as mentioned in my link above.

0 Kudos
LostBoY
Advisor

This looks like what i am looking for but unfortunately i am on R80.40.. anyway i can enforce this on 80.40 ?

0 Kudos
Juan_
Collaborator

Check "Manually Uploading Threat Indicator Files through SmartConsole"

 

In the R80.40 Threat prevention administration guide.

The CSV syntax is really easy.

 

0 Kudos
Juan_
Collaborator

To add a large list of IPs to block use fwaccel dos deny feature.  

Just create a file on below directory and follow the instructions 

Deny List location: 

$FWDIR/conf/deny_lists/ 

What it looks like: 

45.83.66.159 

45.83.66.160 

45.83.66.166 

45.83.66.167 

45.83.66.192 

  

To load it: 

fwaccel dos deny -L 

  

To flush it: 

fwaccel dos deny -F 

  

To check contents 

fwaccel dos deny -s 

  

To see statistics: 

fwaccel dos stats get 

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

LostBoY
Advisor

Thanks for this..one query here..when the IP in this list is blocked how does the log looks like ? i mean when it is being denied by stealth rule the log payload suggests the name of the rule etc.

0 Kudos
Juan_
Collaborator

It shows like a normal drop, with this text below.
Unfortunately none of the fields that distinguish the feature seam indexed/searchable.

 

Id Generated By Indexer:false
First: true
Sequencenum: 127
Source: 45.83.65.9
Destination: 
IP Protocol: 1
Securexl Message: The packet's source IP is in the deny list (SecureXL device 0)
Feature Name: DOS/Rate Limiting Deny List
Comment: Deny list
Action: Drop
Type: Log
Policy Name: Standard
Policy Management: 
Policy Date: 2022-02-08T15:50:19Z
Blade: Firewall
Origin: checkpoint
Service: ICMP
Product Family: Access
Interface: 
Description: ICMP Traffic Dropped from 45.83.65.9 to 

Sh3r
Participant

Hello.. where exactly are these logs recorded ? can i see this in SmartConsole menu ? 

0 Kudos
Juan_
Collaborator

Yes, if there are connections to any of your blacklisted IPs it will appear in smart console > Logs&Monitor> logs

It will appear like a drop. See my post above.

I haven't figured out how to make a search related to the feature though, I think its not possible.

0 Kudos
Sh3r
Participant

ok..i created a blacklist by using the syntax above and added one IP there.. i then tried to ping that IP from a host behind my firewall..but in the logs its getting dropped via default deny rule.. shudnt it be blocked via blacklist feature ?

0 Kudos
LostBoY
Advisor

This i have to apply in individual GWs and not in the management server ? and in VSX environment this will be applied in each VS ?

also, this blocks blacklists both incoming and outgoing requests from the mentioned ip right ?

0 Kudos
Juan_
Collaborator
  • Apply on Gateway
  • Each VS 
  • Incoming is fully blocked
  • Outgoing is not fully blocked
    • Replies to the outgoing connection will be dropped
0 Kudos
Sh3r
Participant

what does replied to outgoing connection means ? if someone initiated a connection from inside towards a blacklist ip..it wudnt get blocked ?

0 Kudos
Juan_
Collaborator