IP Block Feature

Description

The IP Block feature provides the ability to block malicious traffic to and from certain IP addresses.

The IP Block feature requires the list of malicious IP addresses as a feed (URL).

The IP Block feature runs periodically, fetches the IP list again and updates the IP addresses in the Security Gateway based on the list in the feed.

The blocking mechanism is enforced by an Access Control rule with a Dynamic Object.

Check Point's Security Intelligence maintains and periodically updates a list of IP addresses known as TOR Exit Nodes:

https://secureupdates.checkpoint.com/IP-list/TOR.txt

Best Practice - We recommend to consider the "Custom Intelligence Feeds" from sk132193.

Notes:

These IP ranges are excluded by default: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
The IP Block feature supports only IPv4 feeds.

CLI

Syntax

ip_block -h

ip_block -s SET_DYN_OBJ

ip_block -n

ip_block -a ADD_URL [ADD_URL ...]

ip_block -d DEL_URL

ip_block -l [-j]

ip_block -e ACTIVATE

ip_block -x

ip_block -c

ip_block -r [-f]

Parameters

Parameter	Description
`-h` `--help`	Shows the built-in help.
`-a ADD_URL [ADD_URL ...]` `--add-url ADD_URL [ADD_URL ...]`	Adds IP feed URLs (separated by a comma) to the configuration.
`-d DEL_URL` `--del-url DEL_URL`	Deletes IP feed URLs (separated by a comma) from the configuration.
`-l` `--list-urls`	Shows the configured IP feed URLs.
`-s SET_DYN_OBJ` `--set-dynamic-object SET_DYN_OBJ`	Specifies the Dynamic Object name in the configuration. For example, `MyDynObj`.
`-n` `--show-dynamic-object-name`	Show the configured Dynamic Object name.
`-r` `--run`	Updates the IP addresses in the configuration.
`-f` `--force`	Forces the update.
`-j` `--json`	Shows the output in JSON format.
`-c` `--clear-cache`	Clears the cache.
`-e ACTIVATE` `--activate ACTIVATE`	Starts the periodic run of the feature at the specified intervals. Specify the interval ACTIVATE as a number followed by units: `Xs` - runs every X seconds (for example, 30s) `Xm` - runs every X minutes (for example, 20m) `Xh` - runs every X hours (for example, 1h)
`-x` `--deactivate`	Stops the periodic run of the feature.

Parameter

Description

-h

--help

Shows the built-in help.

-a ADD_URL [ADD_URL ...]

--add-url ADD_URL [ADD_URL ...]

Adds IP feed URLs (separated by a comma) to the configuration.

-d DEL_URL

--del-url DEL_URL

Deletes IP feed URLs (separated by a comma) from the configuration.

-l

--list-urls

Shows the configured IP feed URLs.

-s SET_DYN_OBJ

--set-dynamic-object SET_DYN_OBJ

Specifies the Dynamic Object name in the configuration.

For example, MyDynObj.

-n

--show-dynamic-object-name

Show the configured Dynamic Object name.

-r

--run

Updates the IP addresses in the configuration.

-f

--force

Forces the update.

-j

--json

Shows the output in JSON format.

-c

--clear-cache

Clears the cache.

-e ACTIVATE

--activate ACTIVATE

Starts the periodic run of the feature at the specified intervals.

Specify the interval ACTIVATE as a number followed by units:

Xs - runs every X seconds (for example, 30s)
Xm - runs every X minutes (for example, 20m)
Xh - runs every X hours (for example, 1h)

-x

--deactivate

Stops the periodic run of the feature.

Procedure

Follow these steps in SmartConsole and on the Security Group.

Procedure

Step

Instructions

Connect with SmartConsole to the Management Server.

Create a new Dynamic Object:

From the right panel Objects, click New > More > Network Object > Dynamic Objects > Dynamic Object.

In the New Dynamic Object window, enter a name (for example, MyDynObj) and click OK.

You use this name later in the CLI on the Security Group.

In the applicable Access Control policy, add a new rule that drops all traffic from the new Dynamic Object:

Source	Destination	VPN	Services & Applications	Action	Track
Dynamic Object	`Any`	`Any`	`Any`	`Drop`	`None`

Connect to the command line on the Security Group.

Configure the Dynamic Object as configured in SmartConsole:

dynamic_objects -n <Name of Dynamic Object in SmartConsole>

Examine the Dynamic Objects configuration to make sure the new Dynamic Object is added:

dynamic_objects -l

Configure the Dynamic Object in the IP Block settings as configured in SmartConsole:

ip_block --set-dynamic-object <Name of Dynamic Object in SmartConsole>

Examine the IP Block configuration to make sure the new Dynamic Object is added:

ip_block --show-dynamic-object-name

Configure the URL for the IP feed:

ip_block --add-url <URL>

Example:

ip_block --add-url https://secureupdates.checkpoint.com/IP-list/TOR.txt

Note - This can be a file on your own web server.

Examine the configuration to make sure the feed URL is added:

ip_block --list-urls

Start the periodic run at the specified intervals:

ip_block --activate <ACTIVATE>

Examine the configuration to make sure the "ip_block" command is scheduled to run at the specified intervals by the CPD daemon:

cpd_sched_config print | grep -A 5 "ip_block"

Example output:

Task: "ip_block"
        Command: /bin/ip_block
        Arguments: -r
        Interval: 600
        Active: true
        RunAtStart: false

In SmartConsole, install the Access Control Policy on the Security Group object.

Examine the log on the Security Group:

/var/log/ip_block.elg