Malware Prevention Using IP and Port Indicators

Important - This feature is available from R81.20 Jumbo Hotfix Accumulator Take 70 (PRJ-50184).

This feature is disabled by default.

IP Reputation Protection inspects traffic and blocks suspicious connections based on IP addresses.

This protection enforces security policiesClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. through an advanced analysis of traffic using IP addresses and ports to identify and block malicious traffic across multiple protocols.

The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. loads the latest threat intelligence from the cloud to maintain an up-to-date reputation feed.

This protection enables organizations to defend against well-known botnets, including Emotet, Dridex, Qbot, and others.

Known Limitations

  • This feature supports only IPv4 traffic.

  • This feature is disabled when the Security Gateway is not connected to the Internet.

How to Enable Malware Prevention Using IP and Port Indicators

Follow these steps in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

  1. Enable the Anti-Bot Software BladeClosed Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. in the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. object.

    1. From the left navigation panel, click Gateways & Servers.

    2. Double-click the Security Gateway / Cluster object.

    3. On the General Properties page > on the Threat Prevention tab:

      1. Select Custom Threat Prevention.

      2. Select Anti-Bot.

      3. Select the applicable option and click OK:

        • According to the Threat Prevention Policy (this is the default)

        • Detect only

    4. Click OK to close the Security Gateway / Cluster object.

  2. Enable the Protection Reputation IPs:

    1. From the left navigation panel, click Security Policies.

    2. In the top section Threat Prevention, click Custom Policy.

    3. In the bottom section Custom Policy Tools section, click Protections.

    4. In the top panel, click the protection Reputation IPs.

    5. In the bottom panel, click the tab Activations.

    6. Right-click the applicable Threat Prevention profile and click the applicable action:

      • Ask

      • Prevent (this is the default action in the default Threat Prevention profiles)

      • Detect

  3. Install the Threat Prevention policy.

  4. Modify the $FWDIR/conf/ip_port_feed.conf file on the Security Gateway / Cluster Members:

    Note - In a Cluster, you must configure all the Cluster Members in the same way.

    1. Connect to the command line on the Security Gateway / each Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable Platform Security Group.

    2. If the default shell is Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). / GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish, then go to the Expert mode:

      expert

    3. Back up the configuration file:

      • On a Security Gateway / each Cluster Member:

        cp -v $FWDIR/conf/ip_port_feed.conf{,_BKP}

      • On a Scalable Platform Security Group:

        g_all cp -v $FWDIR/conf/ip_port_feed.conf{,_BKP}

    4. Edit the configuration file:

      vi $FWDIR/conf/ip_port_feed.conf

    5. For the parameter "enabled", configure the value "true":

      {
    "enabled": true,
    "url": "https://ipport.iaas.checkpoint.com/ip-port-feed.csv",
    "feed_size_limit": 10000,
    "policy_enabled": false,
    "ssl_validation_enabled": false
}

    6. Save the changes in the file and exit the editor.

    7. On a Scalable Platform Security Group, copy the modified file to all Security Group Members:

      asg_cp2blades $FWDIR/conf/ip_port_feed.conf

    8. Apply the changes in one of these ways:

      • Wait 5 minutes for the scheduled task to apply the changes automatically.

      • Alternatively, run the following command to apply the changes immediately:

        • On a Security Gateway / each Cluster Member:

          ipp_feeder -f

        • On a Scalable Platform Security Group:

          g_all ipp_feeder -f

How to Disable Malware Prevention Using IP and Port Indicators

Note - In a Cluster, you must configure all the Cluster Members in the same way.

To disable this protection on a specific Security Gateway / Cluster without disabling the Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. Software Blade, modify the $FWDIR/conf/ip_port_feed.conf file:

  1. Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.

  2. If the default shell is Gaia Clish / Gaia gClish, then go to the Expert mode:

    expert

  3. Back up the configuration file:

    • On a Security Gateway / each Cluster Member:

      cp -v $FWDIR/conf/ip_port_feed.conf{,_BKP}

    • On a Scalable Platform Security Group:

      g_all cp -v $FWDIR/conf/ip_port_feed.conf{,_BKP}

  4. Edit the configuration file:

    vi $FWDIR/conf/ip_port_feed.conf

  5. For the parameter "enabled", configure the value "false":

    {
    "enabled": false,
    "url": "https://ipport.iaas.checkpoint.com/ip-port-feed.csv",
    "feed_size_limit": 10000,
    "policy_enabled": false,
    "ssl_validation_enabled": false
}

  6. Save the changes in the file and exit the editor.

  7. On a Scalable Platform Security Group, copy the modified file to all Security Group Members:

    asg_cp2blades $FWDIR/conf/ip_port_feed.conf

  8. Apply the changes in one of these ways:

    • Wait 5 minutes for the scheduled task to apply the changes automatically.

    • Alternatively, run the following command to apply the changes immediately:

      • On a Security Gateway / each Cluster Member:

        ipp_feeder -f

      • On a Scalable Platform Security Group:

        g_all ipp_feeder -f

Troubleshooting

This process ensures that the feed configuration is correct and that any associated errors are identified and resolved.

  1. Connect to the command line on the Security Gateway / each Cluster Member / Scalable Platform Security Group.

  2. If the default shell is Gaia Clish / Gaia gClish, then go to the Expert mode:

    expert

  3. Make sure the configuration file $FWDIR/conf/ip_port_feed.conf contains only these lines:

    Note - If this file was corrupted and you replaced its contents, then install the Threat Prevention policy.

    {
    "enabled": true,
    "url": "https://ipport.iaas.checkpoint.com/ip-port-feed.csv",
    "feed_size_limit": 10000,
    "policy_enabled": false,
    "ssl_validation_enabled": false
}

  4. Run:

    tp_collector_cli

    and look for the errors from "App:MALWARE_IP_REP".

    Example:

    Time:      09:56:20
Instance:0
App:MALWARE_IP_REP
Session ended with error:1
Description:Update Failure.
Feed fetch failed.
Resource: "https://ipport.iaas.checkpoint.com/ip-port-feed.csv, Reason: HTTP response code said error (Response code: 403).

  5. To see debug messages:

    1. Run:

      ipp_feeder -d -f

    2. Examine this log file:

      $FWDIR/log/ipp_feeder.elg

    Note - The feed SQL database is stored in this file: $FWDIR/amw/iprep/IPReputation.db

  6. Run this command to confirm observables were fetched to the kernel table:

    fw tab –t mal_ip_port_reputation