Check Point Firewalls do not have an easy and ready-to-use “automated IP blacklist” mechanism. Indeed, SmartConsole lacks of this kind of feature.
For that reason, you need to write some code using Check Point tools and API so that you are able to populate a blacklist (or blocklist) with IPs collected by external feeds. In doing so, your firewall can easily drop incoming traffic from malicious sources.
What are the solutions?
Following the solutions I tested to implement an automated mechanism.
1. Network Objects
Add new host and network objects into an existing network group object.
- Pros: easy to implement by using mgmt_cli (e.g., an example of implementation is provided here).
- Cons: process of addition and deletion very heavy since it acts as a sequence of several manual changes. Furthermore, you need to publish and install all changes. A well-known issue is the expiration of Apache session (see my post on CheckMates).
2. The script using samp rules
Use the script provided in sk103154 (samp rules).
- Pros: ready-to-use script. Maybe, you need to apply some changes to better suit your environment.
- Cons: not supported in VSX configuration. Someone in CheckMates says samp rules could be heavy in terms of performance.
3. Custom Intelligence Feeds
Use Intelligence Feeds, as documented in sk132193.
- Pros: new approach enriching cyber intelligence funciontalities with IOC feeds.
- Cons: traffic is blocked by Anti-Virus and Anti-Bot blades, not by Access Control. This approach is not optimal for blocking incoming traffic from thousands of IPs. Better to only use with Anti-Virus feeds (e.g., URL, md5, and so on) for outgoing traffic.
4. Dynamic Objects
- Pros: dynamic approach able to provide a very fast process of change. Dynamic objects don’t require “publish and install”.
- Cons: OpenDBL script does not support VSX configuration. In addition, it lacks of “covering” between the deletion process of the old blacklist and the creation process of the updated blacklist. This lack can last seconds in case of thousands of IPs or minutes in case of ten of thounsands of IPs.
5. SecureXL Blacklist
fwaccel dos blacklist to drop packets in SecureXL (see sk112454).
[UPDATE] Please also read this other post if you’re running v80.40.
- Pros: For R80.40 and newer, it can scale to millions of IP addresses. A scalability hotfix is available for R80.20/R80.30.
- Cons: networks in CIDR notation are not supported; you need to use rate limiting policy rules instead.
The defenitive solution
After several experiments, I eventually chose the Dynamic Objects approach (4). However, since the script provided by OpenDBL was not suitable to my configuration (i.e., a cluster of 3 x 23900 appliances in VSX configuration), I decided to rewrite the code.
- Processing of multiple URL feeds in one script-file.
- Support of network strings in CIDR format as well as IP.
- Inputs verified by robust regular expressions.
- “Diff” mechanism to add new IPs and remove obsolete sources (no more lack of covering).
- Caching mechanism to preserve feed if its online resource is not available.
- Create the directory path
/scripts/blacklist/on your Gateway.
- Copy the bash script into the
- Change the
VSIDvariable with the correct Virtual System ID.
- Change the
CONTEXTvariable with the name of your blacklist.
IMPORTANT: the name must be the same of the Dynamic Object BLDO_ContextName you will create on SmartConsole (see below).
- Copy your feeds in URL array elements (e.g.
- Give execution permissions to the bash script:
chmod +x blacklist.sh.
- Manually run the script in VS0 to test if everything is properly working:
- Check logs within
- Add a cron job in VS0 to automatically run the bash script (
crontab -ecommand). For instance:
# Blacklist running every hour at :15 min
15 * * * * /scripts/blacklist/blacklist.sh
- Create a Dynamic Object on your Smart Console named BLDO_ContextName and add it to a drop rule. For instance:
Feeds to subscribe
- FireHOL is a very good resource containing several feeds.
- In Sapienza Università di Roma we manage a very excellent feed containing thousands of IPs that are not discovered by any other feed. This list is updated every 5 minutes thanks to the correlation of our Cyber Threat Intelligence technology. Every IP within the list lives for 48 hours.
If you are interested in subscribing our feed, please contact me (have a look at Professional Services as well).
- A 23900 appliance can manage up to 100.000 IPs with no performance issue. Beyond that threshold, you may incur in some drops of perfomance.
- The fwaccel solution is a good future candidate if Check Point implements the mechanism to add networks as well as single IPs.