Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
israelgl
Participant

Blocking malicious IP addresses SAMP rules

hey all,

I'm using the script from sk103154 - How to block traffic coming from known malicious IP addresses, and I have a database of 100,000 malicious IPs, now I realize that I have only a little less than 7000 samp rules.

Is it because of a limited number of samp rules or is that something with the script from the sk?

0 Kudos
11 Replies
Diego_dg
Contributor

Hi, I don't know if this could be related with your issue, but there is a limit in the size of the SAM file. You can enable/disable or change it on the Gateway object properties, under Other-> SAM , "purge sam file when it reaches...".

0 Kudos
G_W_Albrecht
Legend
Legend

Did you try sk112454, (6) Deny List Configuration

The deny list is configured using "fwaccel dos deny" commands.
In R80.40 and higher versions, the deny list scales to millions of IP addresses.

CCSE CCTE SMB Specialist
(1)
G_W_Albrecht
Legend
Legend

In order to block designated IP list, Check Point strongly recommend to use Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

CCSE CCTE SMB Specialist
Diego_dg
Contributor

But, if I am right, Custom Intelligence Feeds are only available if there is a TP license (Antivirus, AntiBot) on the GW, isn't it? 

0 Kudos
Sorin_Gogean
Advisor

You are correct the IOC are used by Antivirus and AntiBot blades.

 

For what you needed, I would look into Generic DataCenter objects - we're using them for similar needs/requirements like you.

 

"

Generic Data Center Object

From R81, you can enforce access to and from IP addresses defined in files located in external web servers.

To do that, use the Generic Data Center object in SmartConsole. The Generic Data Center object points to a JSON file in an external server which contains the IP addresses which you want to access. This way, when the Generic Data Center object is used in a policy, SmartConsole can retrieve the IP information from the JSON file as necessary.

You can host the JSON file also locally on the Security Management Server.

This feature is useful in cases where one administrator creates the Rule Base and defines the objects, and another administrator manages the content of these objects.

This feature is supported in the Access Control, Threat Prevention, HTTPS Inspection, and NAT Rule Bases.

The feature is supported only on a Security Management Server R81 and higher and Security Gateway (Cluster) R81 and higher.

After you create the Generic Data Center object, any change made in the file is automatically enforced on the Security Gateway with no need to install policy.

To create the JSON file, follow the guidelines described in sk167210.

For more information, see Generic Data Center Objects."

 

Ty,

0 Kudos
israelgl
Participant

i don't want to use object because i want to reduce load from the applince 

0 Kudos
Sorin_Gogean
Advisor

IOC feeds or Generic DataCenter objects would imply similar appliance load, from my knowledge.

Only difference is that they apply at different levels.

Your choice 😊 .

 

Ty,

0 Kudos
israelgl
Participant

custom intelligence feed block traffic from outside only in r81.

in r80.40 I used sk103154

0 Kudos
George_Ellis
Contributor

I have laid out a strategy for my company to use this too (sk103154).  The script is easily modified to also add your own site to maintain a list of internally designated IPs to drop.  And, it should work on VSX.  Then you just need a process to update your internally maintained blacklist and a hosting site inside your company.

0 Kudos
israelgl
Participant

I used "fwaccel dos deny" and it works great and I even created a script that update the list every 20 min.

but I didn't find a way to see match table or logs, is there an option to log the drops?

0 Kudos
Diego_dg
Contributor

We also use "fwaccel dos deny" and we see  the drops on the logs, with the message shown below, maybe you need to configure "log drops: enable" with command "fwaccel config set ":

The packet's source IP is in the deny list (SecureXL device 0)
feature_name:
DOS/Rate Limiting Deny List
comment:
Deny list