In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.
However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.
SecureXL Blacklist
I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.
See sk112454 for more information. Below some useful commands:
- Load a list of IPs from file
fwaccel dos blacklist -L /path/file - Flush the blacklist
fwaccel dos blacklist -F - Show the Blacklist items
Download the Blacklist script v2fwaccel dos whitelist -s
The above script works very well if scheduled in a cron job. For instance my firewall autonomously updates the SecureXL blacklist every hour.
No more DoS or massive scan!
If you have found this post useful, please visit the Contribute page