IP Block Feature

Description

The IP Block feature provides the ability to block malicious traffic to and from certain IP addresses.

The IP Block feature requires the list of malicious IP addresses as a feed (URL).

The IP Block feature runs periodically, fetches the IP list again and updates the IP addresses in the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. based on the list in the feed.

The blocking mechanism is enforced by an Access Control ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. with a Dynamic ObjectClosed Special object type, whose IP address is not known in advance. The Security Gateway resolves the IP address of this object in real time..

Check Point's Security Intelligence maintains and periodically updates a list of IP addresses known as TOR Exit Nodes:

https://secureupdates.checkpoint.com/IP-list/TOR.txt

Best Practice - We recommend to consider the "Custom Intelligence Feeds" from sk132193.

Notes:

  • These IP ranges are excluded by default: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

  • The IP Block feature supports only IPv4 feeds.

CLI

ip_block -h

ip_block -s SET_DYN_OBJ

ip_block -n

ip_block -a ADD_URL [ADD_URL ...]

ip_block -d DEL_URL

ip_block -l [-j]

ip_block -e ACTIVATE

ip_block -x

ip_block -c

ip_block -r [-f]

Parameter

Description

-h

--help

Shows the built-in help.

-a ADD_URL [ADD_URL ...]

--add-url ADD_URL [ADD_URL ...]

Adds IP feed URLs (separated by a comma) to the configuration.

-d DEL_URL

--del-url DEL_URL

Deletes IP feed URLs (separated by a comma) from the configuration.

-l

--list-urls

Shows the configured IP feed URLs.

-s SET_DYN_OBJ

--set-dynamic-object SET_DYN_OBJ

Specifies the Dynamic Object name in the configuration.

For example, MyDynObj.

-n

--show-dynamic-object-name

Show the configured Dynamic Object name.

-r

--run

Updates the IP addresses in the configuration.

-f

--force

Forces the update.

-j

--json

Shows the output in JSON format.

-c

--clear-cache

Clears the cache.

-e ACTIVATE

--activate ACTIVATE

Starts the periodic run of the feature at the specified intervals.

Specify the interval ACTIVATE as a number followed by units:

  • Xs - runs every X seconds (for example, 30s)

  • Xm - runs every X minutes (for example, 20m)

  • Xh - runs every X hours (for example, 1h)

-x

--deactivate

Stops the periodic run of the feature.

Procedure

Follow these steps in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. and on the Security GroupClosed A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway..

Step

Instructions

1

Connect with SmartConsole to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2

Create a new Dynamic Object:

From the right panel Objects, click New > More > Network Object > Dynamic Objects > Dynamic Object.

3

In the New Dynamic Object window, enter a name (for example, MyDynObj) and click OK.

You use this name later in the CLI on the Security Group.

4

In the applicable Access Control policy, add a new rule that drops all traffic from the new Dynamic Object:

Source

Destination

VPN

Services & Applications

Action

Track

Dynamic Object

Any

Any

Any

Drop

None

5

Connect to the command line on the Security Group.

6

Log in to the Expert mode.

7

Configure the Dynamic Object as configured in SmartConsole:

dynamic_objects -n <Name of Dynamic Object in SmartConsole>

8

Examine the Dynamic Objects configuration to make sure the new Dynamic Object is added:

dynamic_objects -l

9

Configure the Dynamic Object in the IP Block settings as configured in SmartConsole:

ip_block --set-dynamic-object <Name of Dynamic Object in SmartConsole>

10

Examine the IP Block configuration to make sure the new Dynamic Object is added:

ip_block --show-dynamic-object-name

11

Configure the URL for the IP feed:

ip_block --add-url <URL>

Example:

ip_block --add-url https://secureupdates.checkpoint.com/IP-list/TOR.txt

Note - This can be a file on your own web server.

12

Examine the configuration to make sure the feed URL is added:

ip_block --list-urls

13

Start the periodic run at the specified intervals:

ip_block --activate <ACTIVATE>

14

Examine the configuration to make sure the "ip_block" command is scheduled to run at the specified intervals by the CPD daemon:

cpd_sched_config print | grep -A 5 "ip_block"

Example output:

Task: "ip_block"
        Command: /bin/ip_block
        Arguments: -r
        Interval: 600
        Active: true
        RunAtStart: false

15

In SmartConsole, install the Access Control Policy on the Security Group object.

16

Examine the log on the Security Group:

/var/log/ip_block.elg