[Check Point] Automated IP Blacklist v2

In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.

However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.

SecureXL Blacklist

I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.

See sk112454 for more information. Below some useful commands:

  • Load a list of IPs from file
    fwaccel dos blacklist -L /path/file
  • Flush the blacklist
    fwaccel dos blacklist -F
  • Show the Blacklist items
    fwaccel dos whitelist -s
    Download the Blacklist script v2

The above script works very well if scheduled in a cron job. For instance my firewall autonomously updates the SecureXL blacklist every hour.

No more DoS or massive scan!

If you have found this post useful, please visit the Contribute page

[Check Point] Automated IP Blacklist

You Shall Not Pass

Check Point Firewalls do not have an easy and ready-to-use “automated IP blacklist” mechanism. Indeed, SmartConsole lacks of this kind of feature.

For that reason, you need to write some code using Check Point tools and API so that you are able to populate a blacklist (or blocklist) with IPs collected by external feeds. In doing so, your firewall can easily drop incoming traffic from malicious sources.

What are the solutions?

Following the solutions I tested to implement an automated mechanism.

1. Network Objects

Add new host and network objects into an existing network group object.

  • Pros: easy to implement by using mgmt_cli (e.g., an example of implementation is provided here).
  • Cons: process of addition and deletion very heavy since it acts as a sequence of several manual changes. Furthermore, you need to publish and install all changes. A well-known issue is the expiration of Apache session (see my post on CheckMates).

2. The script using samp rules

Use the script provided in sk103154 (samp rules).

  • Pros: ready-to-use script. Maybe, you need to apply some changes to better suit your environment.
  • Cons: not supported in VSX configuration. Someone in CheckMates says samp rules could be heavy in terms of performance.

3. Custom Intelligence Feeds

Use Intelligence Feeds, as documented in sk132193.

  • Pros: new approach enriching cyber intelligence funciontalities with IOC feeds.
  • Cons: traffic is blocked by Anti-Virus and Anti-Bot blades, not by Access Control. This approach is not optimal for blocking incoming traffic from thousands of IPs. Better to only use with Anti-Virus feeds (e.g., URL, md5, and so on) for outgoing traffic.

4. Dynamic Objects

Use Dynamic Objects as implemented by “Open Dynamic Block Lists” (see post on CheckMates).

  • Pros: dynamic approach able to provide a very fast process of change. Dynamic objects don’t require “publish and install”.
  • Cons: OpenDBL script does not support VSX configuration. In addition, it lacks of “covering” between the deletion process of the old blacklist and the creation process of the updated blacklist. This lack can last seconds in case of thousands of IPs or minutes in case of ten of thounsands of IPs.

5. SecureXL Blacklist

Use fwaccel dos blacklist to drop packets in SecureXL (see sk112454).

[UPDATE] Please also read this other post if you’re running v80.40.

  • Pros: For R80.40 and newer, it can scale to millions of IP addresses. A scalability hotfix is available for R80.20/R80.30.
  • Cons: networks in CIDR notation are not supported; you need to use rate limiting policy rules instead.

The defenitive solution

After several experiments, I eventually chose the Dynamic Objects approach (4). However, since the script provided by OpenDBL was not suitable to my configuration (i.e., a cluster of 3 x 23900 appliances in VSX configuration), I decided to rewrite the code.

Download the script

Improvements

  • Processing of multiple URL feeds in one script-file.
  • Support of network strings in CIDR format as well as IP.
  • Inputs verified by robust regular expressions.
  • “Diff” mechanism to add new IPs and remove obsolete sources (no more lack of covering).
  • Caching mechanism to preserve feed if its online resource is not available.

Instructions

  • Create the directory path /scripts/blacklist/ on your Gateway.
  • Copy the bash script into the /scripts/blacklist/ directory.
  • Change the VSID variable with the correct Virtual System ID.
  • Change the CONTEXT variable with the name of your blacklist.
    IMPORTANT: the name must be the same of the Dynamic Object BLDO_ContextName you will create on SmartConsole (see below).
  • Copy your feeds in URL array elements (e.g. URL[0]="...").
  • Give execution permissions to the bash script: chmod +x blacklist.sh.
  • Manually run the script in VS0 to test if everything is properly working: ./blacklist.sh.
  • Check logs within /scripts/blacklist/logs/.
  • Add a cron job in VS0 to automatically run the bash script (crontab -e command). For instance:
    # Blacklist running every hour at :15 min
    15 * * * * /scripts/blacklist/blacklist.sh
  • Create a Dynamic Object on your Smart Console named BLDO_ContextName and add it to a drop rule. For instance:

    Blacklist Drop Rule

Feeds to subscribe

  • FireHOL is a very good resource containing several feeds.
  • In Sapienza Università di Roma we manage a very excellent feed containing thousands of IPs that are not discovered by any other feed. This list is updated every 5 minutes thanks to the correlation of our Cyber Threat Intelligence technology. Every IP within the list lives for 48 hours.

    If you are interested in subscribing our feed, please contact me (have a look at Professional Services as well).

    Sapienza Blacklist

Further thoughts

  • A 23900 appliance can manage up to 100.000 IPs with no performance issue. Beyond that threshold, you may incur in some drops of perfomance.
  • The fwaccel solution is a good future candidate if Check Point implements the mechanism to add networks as well as single IPs.

If you have found this post useful, please visit the Contribute page