The scripts to enable ThreatSTOP on your Check Point device must be run on the firewall. They will not work from a management station. This is because we add the blocked IP addresses to a Dynamic Object, and the only way to add addresses to the object is on the firewall. The script performs a pair of actions to maintain the firewall:
- First DNS queries are run to get the block lists.
- Then the results are taken and items are added or deleted as needed.
When run the first time, adding all the addresses may take some time. Future updates will not take as long to run, since the script only adds and removes addresses as needed.
To download the Check point script, click here.
If this is a new device, please allow up to 15 minutes for our systems to be updated.
When Check Point is adding individual IP Addresses to the object, consecutive addresses will automatically group into a single range. For example, if we add the addresses 192.0.2.1, 192.0.2.2, 192.0.2.3 and 192.0.2.200, Check Point will create two ranges: 192.0.2.1 - 192.0.2.3, and 192.0.2.200 - 192.0.2.200.
Some of our block lists are available as networks (192.0.2.0/24) and the script will add the full network to the object.
This script is specifically written to work on a Check Point UTM or Secure Platform (SPLAT), and will not work with Check Point installed on Windows, Red Hat Linux or Solaris.
Due to the manner in which ThreatSTOP needs to work with Check Point devices, a few things need to happen before the software is downloaded and configured to control the appliance.
- Administrative access to the firewall device must be available via SSH (TCP port 22). This allows the ThreatSTOP script to use SSH to modify dynamic objects and addresses in those objects.
- Ensure that the appliance has a name server configured. If you wish you may set the default Dynamic Name Server (DNS) on TCP/UDP port 53 to the ThreatSTOP Anycast server (220.127.116.11)
- Device logging must be enabled.
Confirm that the appliance can also access/download files from the Internet. In particular you should check that your appliance can connect with ftp.threatstop.com to do this:
When setting up your device on the ThreatSTOP website, use the external IP address of the firewall. If you do not know the external IP address go to http://www.threatstop.com/cgi-bin/validip.pl from the firewall. This will show you what IP address to use and whether that IP address is currently in our database.
If this is a new device, please allow up to 15 minutes for our systems to be updated.
Connecting to the Check Point Device
To connect to Check Point using SSH, access needs to be configured on the device. This is done through the Check Point Web User Interface, accessible via
- You will need to make sure the system that is used to connect to Check Point with SSH is permitted to do so. This can be configured in the Device section, under Web and SSH Clients.
To configure a user account for SSH
Go to the Device Administrators. You can use an existing user or create a new one.
To connect with Check Point you can use a command line SSH program or PuTTY, available at http://www.chiark.greenend.org.uk/~sgtatham/putty/.
Once connected to Check Point with SSH, we recommend that you increase the timeout value for command line sessions. Check Point has a relatively short, 10 minute idle timeout and the script can take longer when run manually. If the session times out while the script is running, the script is aborted and does not complete properly. To change the timeout setting, run the command:
This will change the timeout to 60 minutes, allowing plenty of time for the script to complete. After being executed, the command is automatically saved for future logins.
Once logged in, you will need to go into expert mode, which will take you to the UNIX command line interface. If you have not used expert mode before, you will be asked for a password. Enter the password you wish to use. After entering the password a UNIX prompt will display.
To enter expert mode enter "expert" as shown in this example and follow the remaining onscreen prompts:
Create the Dynamic Objects
New dynamic objects are created using the Check Point SmartDashboard program.
- Right click on the Dynamic Objects item on the left side of the window.
- Click on Dynamic Object...
- Name the new dynamic object "ThreatSTOP-block". You can optionally give a description and select a color.
- Repeat steps 2-3 to create another new dynamic object and call it "ThreatSTOP-allow"
On versions of UTM/SPLAT starting with R76, some screens may appear different. The related images have been placed under the older screenshots. The processes themselves however are identical.
One of the issues when connecting to Check Point through SSH is the terminal settings. When connected, Check Point may see the terminal as "xterm-color" which is not configured on Check Point. With an unsupported terminal type, editing and sometimes viewing files will not work. To get this working, you may need to set the terminal type. This is done by running the command:
You can make this a permanent change by adding the above command to the ~/.bashrc file. To set this, run the command:
Download the Script to Check Point
You will need to copy the script to the firewall. You can download the script from our FTP server directly from your Check Point firewall using the standard FTP program:
After downloading the script, you can extract the archive with the following command:
This will create a new folder named checkpoint-splat in your home (~) folder.
Go into the folder by entering cd /checkpoint-splat and you will see the following files:
- setup.sh: Setup script to create the Dynamic Object and a scheduled job to automatically run the script every two hours.
- checkpoint_splat.sh: Main script that gets the block lists and populates the dynamic object.
- sendlog.sh: Script to send the firewall log to ThreatSTOP.
- threatstop.conf-example: Example configuration file for the script.
- wrapper.sh: Script that runs the checkpoint_splat.sh script. Used only for the scheduled job.
- clear-object.sh: Script to clear all but one address from the Dynamic Object.
- apl.sed: Sed script used by checkpoint_splat.sh.
- ptr.sed: Sed script used by checkpoint_splat.sh.
- txt.sed: Sed script used by checkpoint_splat.sh.
- setup-ha.sh: Setup script for cluster environments.
- setup-ha-logs.sh: Setup script for sending logs in a cluster environment.
Below is the configuration file for this device, which can be left as-is, but you need to update the MAIL_SERVER address if you want to get an email with the output of the script. Copy the following into the file threatstop.conf in the same directory as the script.
Before running the main script, you will need to run the setup.sh script to create:
- The Dynamic Object
- The scheduled jobs to automatically run the script every two hours
- A second scheduled job to email the logs to ThreatSTOP
To run the setup script:
Running the Script
The main script, checkpoint_splat.sh, populates the Dynamic Object with your block list. The script should be run in debug mode for testing before being used live. To run in debug mode, enter the command:
This gathers your block lists and displays the commands that will be run. No actions are taken to the Dynamic Object when run this way. If everything looks correct, you can run the script without the debug option:
This will populate the Dynamic Object with your block lists.
If you want to view the items in the Dynamic Object, run the command:
The dynamic_objects executable may not be in your path. If the above does not work, run the following, appending R with the version of Check Point you are running. For example, if you are running R71, the command will be:
In addition to the ThreatSTOP object, any other Dynamic Objects that are configured on the system are shown as well.
Create the Check Point Rules
Now that the Dynamic Object is populated, we can create the rules to block traffic from the object. The block rule should be added before any allow rules in the SmartDashboard:
We ask that you name the rules either ThreatSTOP IN or ThreatSTOP OUT. There are two reasons for this: Create a new rule that has the ThreatSTOP object as the source, Any for the Destination and Service, Drop as the Action, and Log as the Track option
- This allows you to see, or filter, the blocked traffic in the SmartView Tracker more easily, due to the column named Rule Name.
- Additionally we are able to more easily determine the direction the blocked traffic is going when we parse the logs. If you choose to use different rule names, your reports may not be as accurate as you want.
- If you want to block outbound traffic to the object, create another rule similar to the one you just created, but this time set the Source as Any and the destination the to the ThreatSTOP object.
Clearing the Dynamic Object
If you want to clear the ThreatSTOP Dynamic Object, but do not want to completely remove ThreatSTOP, we have a script that will clear all the addresses from the object, except for one IP address. The object needs to have at least one address to prevent the firewall from blocking all the traffic. After logging in using SSH, issue the following commands:
Running on a Check Point Cluster
Running the ThreatSTOP scripts on a Check Point Cluster is similar to a single firewall, but there are some differences. Each node in the cluster needs to run the checkpoint_splat.sh script. This is because each node needs to have the ThreatSTOP Dynamic Object created and with at least one address in it. If one of the nodes is not setup and becomes the primary node in the cluster, all traffic will be blocked. This happens because the node does not have the Dynamic Object defined, and Check Point will interpret the object in the rule as 0.0.0.0, which translates to everything.
Instead of running the setup.sh script, you will need to run the setup-ha.sh script which does not create the scheduled job to send the log, but is otherwise identical to setup.sh.
The script to send the logs needs to be running on the log server to have the firewall logs sent to ThreatSTOP. Depending on how you have your cluster environment setup, the log server could be the management node or a separate server.
On the log server, you will need to copy and extract the scripts and run the setup-ha-logs.sh script. This will only create the scheduled job to send the log.
Once completed, your network is protected with an updated list every two hours.
Restore to Previous State
If you decide to remove ThreatSTOP from your Check Point, you need to proceed in a specific order to make sure that traffic through the firewall is not affected.
- From the SmartDashboard, delete all rules that reference the ThreatSTOP Dynamic Object and install the updated policy.
From an SSH connection to the firewall, in expert mode, delete the scheduled job that runs the script that updates the Dynamic Object:
From an SSH connection to the firewall, in expert mode, delete the scheduled job that runs the script that sends the firewall log:
Delete the ThreatSTOP dynamic object:
Optionally delete the directory with the scripts: