Automated way/script to add hundreds of IP to block in Checkpoint SG 12600

sunhux
sunhux used Ask the Experts™
on
I know an ex-colleague has a way at command line (script or whatever) to automate
adding of IP to block malicious IP for Nokia Checkpoint : that's years ago.

My current network colleague says it's very tedious to add IP as he has to create
object, then go into another screen to add it to a group & we often get 100-700
IP from threat Intel (from a cyber regulator):  is there a way to automate to mass
block it for CheckPoint  Security Gateway 12600??     Isn't there a way to get to
SG12600's Unix command prompt & write a script to automate?


For sure Linux iptables, we can do it easily by Shell script.

Heard Palo Alto has an interface to add IP en masse but my network guy says
CheckPoint (& possibly Fortigate) don't.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior CyberSecurity Engineer
Commented:
Paloalto uses Minemeld
Technically this can aggregate many sources and create a single list which you could import anywhere
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Alternative: Trying to do this on some network device is complex to manage.

If you get rid of all your network devices + use Linux as your DMZ (network device), then you can just use Fail2Ban.

With Fail2Ban, you write recipes to notice incorrect access patterns, to automatically manage block/unblock of IPs.

With Fail2Ban, you setup a recipe once + it works forever, with no human intervention.

Fail2Ban may be a better option, if you have time or budget considerations.

Author

Commented:
>Paloalto uses Minemeld
Thanks but I'll need it for CheckPoint.
Btw, Darin, what was the firewall brand & model that you use that previously
you mentioned blocked 300mil CHina IP?

David, can Fail2ban work for CheckPoint or any other firewalls (eg: Fortigate)?
DarinTCHSenior CyberSecurity Engineer

Commented:
I’ve done it with Paloalto recently
But also Juniper and Fortigate

Ps the Minemeld that Palo built is now kinda independent.....
Not really run directly by them ...managed by a group of folks

So you can download the MineMeld tool and use it for any brand that can except a feed from a txt file

Author

Commented:
Darin, what's the brand/model of the firewall that you used to block 300mil China IP without performance impact?

Btw, I'm referring to links below when referring to scripting/command but reckon MineMeld could probably do it easier?
https://sc1.checkpoint.com/documents/R77/CP_R77_Multi-DomainSecurityManagement_WebAdminGuide/105997.htm
https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Creating-Firewall-Rules-per-CLI/td-p/16366
DarinTCHSenior CyberSecurity Engineer
Commented:
Recently I’ve done geolocation blocking on pan 3260 ( ~10 gb FW)
And the 5260... which I think is a 60gb straight and 32-35 GB with all IDP etc turned on

Should mention I also use EDL - external dynamic lists and I try and block things like proxies And anonymizers ...
Geoblocking   uses a Geo location tag and can reasonably block an entire country .....obvoiously they can still proxy their traffic

https://live.paloaltonetworks.com/t5/Blogs/Geolocation-and-geoblocking/ba-p/188812
Hi,

here is a useful list you can use which is updated on a daily basis.

Cheers
Top Expert 2014

Commented:
Not familiar with Check Point, but if it has a CLI, then you should be able to script it. To the firewall it will look like somebody is manually entering everything, but using a bash shell script and expect from a Linux box.

I can't remember the details, but I know RANCID  (https://www.shrubbery.net/rancid/) used scripts and expect to do various things to any network device (actually anything) that had CLI.

expect allow you to logon to another box and issue command and wait for expected responses and issues more commands.

In my simple mind:

  1) You have a file with all the IP address you want to add to a "block group".
  2) You write a script that reads that file and creates a second file with all of the Checkpoint commands to add those addresses to the "block group".
  3) You have a expect script that then logs onto the firewall and reads and loops through the file created in step 2 to issue the commands.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial