Check Point Script to block IP addresses pulled from a URL dynamically - without policy push
#This is an automatic IP blocking script built for R80.40 using fwaccel dos functionality #it uses dos rate limit with a rate of 0 packets per source IP. Supports milions of entries and low overhead on the gateway #No policy push is required
#References #https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk112454&partition=Advanced&product=SecureXL, #https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-DDoS-fw-sam-vs-fwaccel-dos/td-p/41525
#The script is designed to be deployed from one folder on the SMS/Management from where all files are copied.
#How to deploy script #Unzip to a folder you should have #blacklist-rf-block.sh #blacklist-rf-log-clean.sh #initial_setup_blacklist.sh #CREATE a whitelist file and place it is $FWDIR/conf/dos-whitelist-v4.conf , a local feed file and a local gateway file; touch $FWDIR/conf/dos-whitelist-v4.conf; echo "10.0.0.0/8" > $FWDIR/conf/dos-whitelist-v4.conf ##Whitelist must contain multiple one line IPs or Subnets to be excepted. ##The DoS whitelist is managed using the "fwaccel dos whitelist" command. Unlike the blacklist, the whitelist allows the use of CIDR expressions to whitelist entire networks. There is a single whitelist (i.e. there no "whitelist ID" parameter), and the whitelist applies to all 32 blacklists. ##feed file must contain exactly one line of URL to be blocked ##gateway file must contain SIC IP[SIC name] of destination gateways
#run the script once with -deploy then once with -on to make it start #the script schedules itself to run every 15 minutes on each gateway #you may also run -clean to remove the script from the gateways
#log locations #on management tail -f $FWDIR/tmp/blacklist-rf-block.log #on gateways tail -f $FWDIR/tmp/local_blacklist_rf_block.log
#HOW TO DEPLOY #add whitelist example# touch $FWDIR/conf/dos-whitelist-v4.conf; echo "10.0.0.0/8" > $FWDIR/conf/dos-whitelist-v4.conf ./initial_setup_blacklist.sh -a deploy -g gw.txt -f url.txt #to check correct deployment go to security gateway and run: #cpd_sched_config print; fwaccel dos whitelist -s | wc-l; fwaccel dos blacklist -s | wc -l; fwaccel dos stats get ./initial_setup_blacklist.sh -a on -g gw.txt -f url.txt #HOW TO ENABLE ./initial_setup_blacklist.sh -a on -g gw.txt -f url.txt #HOW TO DISABLE ./initial_setup_blacklist.sh -a off -g gw.txt -f url.txt #HOW TO CLEAN ./initial_setup_blacklist.sh -a clean -g gw.txt -f url.txt #manual disable: fwaccel dos config set --disable-internal; fwaccel dos config set --disable-blacklist; fwaccel dos blacklist -F; fwaccel dos whitelist -F
#HOW TO DEBUG
fwaccel dos stats get
#Usage: ./initial_setup_blacklist.sh -a <on|off|deploy|clean> [-g <gw_list_file>] [-f <feed_file>] #Option:
#Example:
Make sure to have /home/admin/dos-whitelist-v4.conf /home/admin/blacklist-rf-log-clean.sh and /home/admin/blacklist-rf-block.sh
#cprid_util -server 10.128.36.25 -verbose rexec -rcmd bash -c "curl_cli --insecure https://esdcsv-secmg01.ptcnet.ptc.com/iprisklist.txt | wc -l"
#Commands needed to be run to enable fwaccel dos blacklist -l /home/admin/blacklist.txt fwaccel dos whitelist -l /home/admin/whitelist.txt
#Commands needed to disable fwaccel dos config set --disable-internal fwaccel dos config set --disable-blacklist fwaccel dos blacklist -F fwaccel dos whitelist -F
#check status fwaccel dos blacklist -s fwaccel dos whitelist -s