[Check Point] Automated IP Blacklist v2

In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.

However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.

SecureXL Blacklist

I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.

See sk112454 for more information. Below some useful commands:

  • Load a list of IPs from file
    fwaccel dos blacklist -L /path/file
  • Flush the blacklist
    fwaccel dos blacklist -F
  • Show the Blacklist items
    fwaccel dos whitelist -s
    Download the Blacklist script v2

The above script works very well if scheduled in a cron job. For instance my firewall autonomously updates the SecureXL blacklist every hour.

No more DoS or massive scan!