[Check Point] Search for AD users in Access Roles

Alice's Adventures in Wonderland

Search for AD users in Access Roles

Are you using Identity Awareness functionality on your Check Point Firewall? Is it very convenient, isn’t it? Identity Awareness can be used for local traffic and VPN remote access as well. You can directly map Active Directory Users and Computers in your Access Roles and build rules per user (or computer), instead of IP address. Read the official documentation for getting more information, you could discover a new world!
Now, do you like to search for AD users in your Access Roles? Have you noticed that the only searchable users through the Object Explorer are local users? In other terms, you can only search users created locally on the management database, but you can’t do that for external accounts like AD users! Sigh…

This is a serious lack of the SmartConsole: the impossibility to find if an AD user is already configured in any Access Role. Indeed, there’s no way to know if a user already exists in one of your Access Roles. You may happen to create duplicated Access Roles including same users. That might be very confusing during a troubleshooting. Thus, before adding a new Access Role, you should verify if the interested user to be mapped already exists in another one.

The Bianconiglio script

For that reason, I wrote a simple python script able to search AD users in Access Roles. I named it Bianconiglio, who is the White Rabbit of Alice’s Adventures in Wonderland.

Download the Bianconiglio script

It is very simple to use. The syntax just accepts the username and the optional case-insensitive parameter:

Search for AD users in Access Roles

So, assuming you want to search the user 012345, the command to run is:

./getADuser.py 012345

The result will be something like the following. It shows the Access Role containing the user you’re searching for and other members (users and groups) within the same Access Role.

Search for AD users in Access Roles

The only configuration you need to implement on your firewall is the creation of a Read Only All user authenticated by API key. For instance:

Read only All User

Then, you need to copy&paste your Management Server IP address and the generated API key within the Bianconiglio script. For instance:

Bianconiglio configuration

If you have found this post useful, please visit the Contribute page

[Check Point] Automated IP Blacklist v2

In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.

However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.

SecureXL Blacklist

I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.

See sk112454 for more information. Below some useful commands:

  • Load a list of IPs from file
    fwaccel dos blacklist -L /path/file
  • Flush the blacklist
    fwaccel dos blacklist -F
  • Show the Blacklist items
    fwaccel dos whitelist -s
    Download the Blacklist script v2

The above script works very well if scheduled in a cron job. For instance my firewall autonomously updates the SecureXL blacklist every hour.

No more DoS or massive scan!

If you have found this post useful, please visit the Contribute page

[Check Point] Automated IP Blacklist

You Shall Not Pass

Check Point Firewalls do not have an easy and ready-to-use “automated IP blacklist” mechanism. Indeed, SmartConsole lacks of this kind of feature.

For that reason, you need to write some code using Check Point tools and API so that you are able to populate a blacklist (or blocklist) with IPs collected by external feeds. In doing so, your firewall can easily drop incoming traffic from malicious sources.

What are the solutions?

Following the solutions I tested to implement an automated mechanism.

1. Network Objects

Add new host and network objects into an existing network group object.

  • Pros: easy to implement by using mgmt_cli (e.g., an example of implementation is provided here).
  • Cons: process of addition and deletion very heavy since it acts as a sequence of several manual changes. Furthermore, you need to publish and install all changes. A well-known issue is the expiration of Apache session (see my post on CheckMates).

2. The script using samp rules

Use the script provided in sk103154 (samp rules).

  • Pros: ready-to-use script. Maybe, you need to apply some changes to better suit your environment.
  • Cons: not supported in VSX configuration. Someone in CheckMates says samp rules could be heavy in terms of performance.

3. Custom Intelligence Feeds

Use Intelligence Feeds, as documented in sk132193.

  • Pros: new approach enriching cyber intelligence funciontalities with IOC feeds.
  • Cons: traffic is blocked by Anti-Virus and Anti-Bot blades, not by Access Control. This approach is not optimal for blocking incoming traffic from thousands of IPs. Better to only use with Anti-Virus feeds (e.g., URL, md5, and so on) for outgoing traffic.

4. Dynamic Objects

Use Dynamic Objects as implemented by “Open Dynamic Block Lists” (see post on CheckMates).

  • Pros: dynamic approach able to provide a very fast process of change. Dynamic objects don’t require “publish and install”.
  • Cons: OpenDBL script does not support VSX configuration. In addition, it lacks of “covering” between the deletion process of the old blacklist and the creation process of the updated blacklist. This lack can last seconds in case of thousands of IPs or minutes in case of ten of thounsands of IPs.

5. SecureXL Blacklist

Use fwaccel dos blacklist to drop packets in SecureXL (see sk112454).

[UPDATE] Please also read this other post if you’re running v80.40.

  • Pros: For R80.40 and newer, it can scale to millions of IP addresses. A scalability hotfix is available for R80.20/R80.30.
  • Cons: networks in CIDR notation are not supported; you need to use rate limiting policy rules instead.

The defenitive solution

After several experiments, I eventually chose the Dynamic Objects approach (4). However, since the script provided by OpenDBL was not suitable to my configuration (i.e., a cluster of 3 x 23900 appliances in VSX configuration), I decided to rewrite the code.

Download the script

Improvements

  • Processing of multiple URL feeds in one script-file.
  • Support of network strings in CIDR format as well as IP.
  • Inputs verified by robust regular expressions.
  • “Diff” mechanism to add new IPs and remove obsolete sources (no more lack of covering).
  • Caching mechanism to preserve feed if its online resource is not available.

Instructions

  • Create the directory path /scripts/blacklist/ on your Gateway.
  • Copy the bash script into the /scripts/blacklist/ directory.
  • Change the VSID variable with the correct Virtual System ID.
  • Change the CONTEXT variable with the name of your blacklist.
    IMPORTANT: the name must be the same of the Dynamic Object BLDO_ContextName you will create on SmartConsole (see below).
  • Copy your feeds in URL array elements (e.g. URL[0]="...").
  • Give execution permissions to the bash script: chmod +x blacklist.sh.
  • Manually run the script in VS0 to test if everything is properly working: ./blacklist.sh.
  • Check logs within /scripts/blacklist/logs/.
  • Add a cron job in VS0 to automatically run the bash script (crontab -e command). For instance:
    # Blacklist running every hour at :15 min
    15 * * * * /scripts/blacklist/blacklist.sh
  • Create a Dynamic Object on your Smart Console named BLDO_ContextName and add it to a drop rule. For instance:

    Blacklist Drop Rule

Feeds to subscribe

  • FireHOL is a very good resource containing several feeds.
  • In Sapienza Università di Roma we manage a very excellent feed containing thousands of IPs that are not discovered by any other feed. This list is updated every 5 minutes thanks to the correlation of our Cyber Threat Intelligence technology. Every IP within the list lives for 48 hours.

    If you are interested in subscribing our feed, please contact me (have a look at Professional Services as well).

    Sapienza Blacklist

Further thoughts

  • A 23900 appliance can manage up to 100.000 IPs with no performance issue. Beyond that threshold, you may incur in some drops of perfomance.
  • The fwaccel solution is a good future candidate if Check Point implements the mechanism to add networks as well as single IPs.

If you have found this post useful, please visit the Contribute page