Page tree

Contents

The scripts to enable ThreatSTOP on your Check Point device must be run on the firewall. They will not work from a management station. This is because we add the blocked IP addresses to a Dynamic Object, and the only way to add addresses to the object is on the firewall. The script performs a pair of actions to maintain the firewall:

  1. First DNS queries are run to get the block lists.
  2. Then the results are taken and items are added or deleted as needed.

When run the first time, adding all the addresses may take some time. Future updates will not take as long to run, since the script only adds and removes addresses as needed.

To download the Check point script, click here.

If this is a new device, please allow up to 15 minutes for our systems to be updated.

When Check Point is adding individual IP Addresses to the object, consecutive addresses will automatically group into a single range. For example, if we add the addresses 192.0.2.1, 192.0.2.2, 192.0.2.3 and 192.0.2.200, Check Point will create two ranges: 192.0.2.1 - 192.0.2.3, and 192.0.2.200 - 192.0.2.200.

Note:

Some of our block lists are available as networks (192.0.2.0/24) and the script will add the full network to the object.

Requirements

This script is specifically written to work on a Check Point UTM or Secure Platform (SPLAT), and will not work with Check Point installed on Windows, Red Hat Linux or Solaris.

Prerequisites

Recommended Versions

ThreatSTOP is compatible with the following Checkpoint devices:

MinimumGAIA R76
SuggestedR77
RecommendedR77.30

Due to the manner in which ThreatSTOP needs to work with Check Point devices, a few things need to happen before the software is downloaded and configured to control the appliance.

  1. Administrative access to the firewall device must be available via SSH (TCP port 22). This allows the ThreatSTOP script to use SSH to modify dynamic objects and addresses in those objects.
  2. Ensure that the appliance has a name server configured. If you wish you may set the default Dynamic Name Server (DNS) on TCP/UDP port 53 to the ThreatSTOP Anycast server (192.124.129.42)
  3. Device logging must be enabled.

Confirm that the appliance can also access/download files from the Internet. In particular you should check that your appliance can connect with ftp.threatstop.com to do this:

ping ftp.threatstop.com

Configuration

Portal

When setting up your device on the ThreatSTOP website, use the external IP address of the firewall. If you do not know the external IP address go to http://www.threatstop.com/cgi-bin/validip.pl from the firewall. This will show you what IP address to use and whether that IP address is currently in our database.

Note:

If this is a new device, please allow up to 15 minutes for our systems to be updated.

Connecting to the Check Point Device

To connect to Check Point using SSH, access needs to be configured on the device. This is done through the Check Point Web User Interface, accessible via https://<internal-address-or-name-of-firewall>.

  1. You will need to make sure the system that is used to connect to Check Point with SSH is permitted to do so. This can be configured in the Device section, under Web and SSH Clients.

To configure a user account for SSH

  1. Go to the Device Administrators. You can use an existing user or create a new one.
    To connect with Check Point you can use a command line SSH program or PuTTY, available at http://www.chiark.greenend.org.uk/~sgtatham/putty/.
    Once connected to Check Point with SSH, we recommend that you increase the timeout value for command line sessions. Check Point has a relatively short, 10 minute idle timeout and the script can take longer when run manually. If the session times out while the script is running, the script is aborted and does not complete properly. To change the timeout setting, run the command:

     [cpmodule]# idle 60

     

    This will change the timeout to 60 minutes, allowing plenty of time for the script to complete. After being executed, the command is automatically saved for future logins.

  2. Once logged in, you will need to go into expert mode, which will take you to the UNIX command line interface. If you have not used expert mode before, you will be asked for a password. Enter the password you wish to use. After entering the password a UNIX prompt will display.

  3. To enter expert mode enter "expert" as shown in this example and follow the remaining onscreen prompts:

    [cpmodule]# expert
    Enter current password:

    This is the first time you enter the expert mode.
    Expert password must be changed.

    Enter new expert password:
    Enter new expert password (again):

    You are in expert mode now.

    [Expert@cpmodule]#

     

Create the Dynamic Objects

New dynamic objects are created using the Check Point SmartDashboard program.

  1. Right click on the Dynamic Objects item on the left side of the window.
  2. Click on Dynamic Object...











  3. Name the new dynamic object "ThreatSTOP-block". You can optionally give a description and select a color.
  4. Repeat steps 2-3 to create another new dynamic object and call it "ThreatSTOP-allow"

Note:

On versions of UTM/SPLAT starting with R76, some screens may appear different. The related images have been placed under the older screenshots. The processes themselves however are identical.

Terminal Settings

One of the issues when connecting to Check Point through SSH is the terminal settings. When connected, Check Point may see the terminal as "xterm-color" which is not configured on Check Point. With an unsupported terminal type, editing and sometimes viewing files will not work. To get this working, you may need to set the terminal type. This is done by running the command:

[Expert@cpmodule]# export TERM=xterm

You can make this a permanent change by adding the above command to the ~/.bashrc file. To set this, run the command:

[Expert@cpmodule]# echo "export TERM=xterm" >> ~/.bashrc

Download the Script to Check Point

You will need to copy the script to the firewall. You can download the script from our FTP server directly from your Check Point firewall using the standard FTP program:

[Expert@cpmodule]# ftp ftp.threatstop.com
Connected to ftp.threatstop.com.
220 Welcome to ThreatSTOP FTP service.
Name (ftp.threatstop.com:admin): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250 Directory successfully changed.
ftp> get checkpoint-splat.tar.gz
local: checkpoint-splat.tar.gz remote: checkpoint-splat.tar.gz
226 File send OK.
2806 bytes received in 00:00 (57.45 KiB/s)
ftp> quit221
Goodbye.

After downloading the script, you can extract the archive with the following command:

[Expert@cpmodule]# tar -xvfz checkpoint-splat.tar.gz

This will create a new folder named checkpoint-splat in your home (~) folder.
Go into the folder by entering cd /checkpoint-splat and you will see the following files:

  • setup.sh: Setup script to create the Dynamic Object and a scheduled job to automatically run the script every two hours.
  • checkpoint_splat.sh: Main script that gets the block lists and populates the dynamic object.
  • sendlog.sh: Script to send the firewall log to ThreatSTOP.
  • threatstop.conf-example: Example configuration file for the script.
  • wrapper.sh: Script that runs the checkpoint_splat.sh script. Used only for the scheduled job.
  • clear-object.sh: Script to clear all but one address from the Dynamic Object.
  • apl.sed: Sed script used by checkpoint_splat.sh.
  • ptr.sed: Sed script used by checkpoint_splat.sh.
  • txt.sed: Sed script used by checkpoint_splat.sh.
  • setup-ha.sh: Setup script for cluster environments.
  • setup-ha-logs.sh: Setup script for sending logs in a cluster environment.

Configuration

Below is the configuration file for this device, which can be left as-is, but you need to update the MAIL_SERVER address if you want to get an email with the output of the script. Copy the following into the file threatstop.conf in the same directory as the script.

#
# Configuration file for the ThreatSTOP Check Point SPLAT scripts
#
# Enter your ThreatSTOP block list

#Maximum number of entries to add to a dynamic object
MAXPOLICYSIZE=30000

ALLOW_LIST=<allow list name>..threatstop.local
BLOCK_LIST=<block list name>..threatstop.local

# Device IP Address
DEVICE_IP="<Device IP>"

# IP Address to always be in the dynamic object. This needs to be an
# address that will never been seen by your firewall. By default, we
# set it to 0.0.0.2.
SHIM_IP="0.0.0.2"

# The ThreatSTOP DNS Server
DNS_SERVERS="192.124.129.42"

# Name of the Check Point Dynamic Object to use. This much match the object
# created in the Check Point GUI. The name is case sensitive.
BLOCK_OBJNAME="ThreatSTOP-block"
ALLOW_OBJNAME="ThreatSTOP-allow"

# Enable/Disable verbose logging when the script runs. Enabling this
# will show all the commands that the script executes.
#VERBOSE="false"
VERBOSE="true"

# Send report via email when the script is finished. This only applies
# when running the wrapper script. Running the script manually does not
# send an email report
#SEND_EMAIL="false"
SEND_EMAIL="true"

# The email server to use for sending the email
MAIL_SERVER="IP_ADDRESS_OF_EMAIL_SERVER"

# Email address to send the script output to
MAILTO="<Device IP>@threatstop.com"

# Subject of the email
SUBJECT="ThreatSTOP Check Point Report"

# Used to construct the from email address when sending the output of the
# script. Email will come from $HOSTNAME@$DOMAINNAME
# No need to change these two settings.
HOSTNAME=`hostname`
DOMAINNAME=`domainname`

# Path to the dynamic_objects executable. The FWDIR variable is taken from
# the /etc/profile.d/CP.sh file, which the scripts reads to get variables
# specific to the Check Point version that you are running.
DYNOBJ="$FWDIR/bin/dynamic_objects"

Setup

Before running the main script, you will need to run the setup.sh script to create:

  • The Dynamic Object
  • The scheduled jobs to automatically run the script every two hours
  • A second scheduled job to email the logs to ThreatSTOP

To run the setup script:

[Expert@HT-CP77:0]# ./setup.sh
Creating threatstop-block Dynamic Object.

Dynamic object already exists
====================
Adding Shim IP to Dynamic Object.

Operation completed successfully

Log update success
====================
Dynamic Object created successfully.
Here are the currently configured objects:

object name : threatstop-block
range 0 : 0.0.0.2       0.0.0.2
object name : threatstop-allow
range 0 : 0.0.0.2       0.0.0.2

object name : CPDShield
range 0 : 0.0.0.1       0.0.0.1

object name : <block list>.<ThreatSTOP account ID>.threatstop.local
range 0 : 0.0.0.2       0.0.0.2

object name : <allow list>.<ThreatSTOP account ID>.threatstop.local
range 0 : 0.0.0.2       0.0.0.2

Operation completed successfully
====================
Creating threatstop-allow Dynamic Object.

Dynamic object already exists
====================
Adding Shim IP to Dynamic Object.

Operation completed successfully

Log update success
====================
Dynamic Object created successfully.
Here are the currently configured objects:

object name : threatstop-block
range 0 : 0.0.0.2       0.0.0.2


object name : threatstop-allow
range 0 : 0.0.0.2       0.0.0.2

object name : CPDShield
range 0 : 0.0.0.1       0.0.0.1

object name : <block list>.<ThreatSTOP account ID>.threatstop.local
range 0 : 0.0.0.2       0.0.0.2

object name : <block list>.<ThreatSTOP account ID>.threatstop.local
range 0 : 0.0.0.2       0.0.0.2

Operation completed successfully
====================

Scheduled job created successfully.
List of the currently scheduled jobs:
Task: "RotateLogs"
        Command: /sbin/cp_logrotate
        Arguments:
        Interval: 100
        Active: true
        RunAtStart: true
Task: "ThreatSTOP"
        Command: /home/admin/ts-checkpoint/wrapper.sh
        Arguments:
        Interval: 7200
        Active: true
        RunAtStart: false
Task: "ThreatSTOP-Log"
        Command: /home/admin/ts-checkpoint/sendlog.sh
        Arguments:
        Interval: 14400
        Active: true
        RunAtStart: false
[Expert@HT-CP77:0]#

Running the Script

The main script, checkpoint_splat.sh, populates the Dynamic Object with your block list. The script should be run in debug mode for testing before being used live. To run in debug mode, enter the command:

[Expert@cpmodule]# ./checkpoint_splat.sh debug

Starting checkpoint_splat.sh v1.91 update on Wed Apr 4 20:25:39 UTC 2011

DEBUG MODE!!

No changes will be made

Importing ./threatstop.conf
DNS Server 192.124.129 worked
Using DNS Server 192.124.129

Processing <block list name>..threatstop.local

Adding 1000 blocked addresses
DEBUG: /opt/CPsuite-R70/fw1/bin/dynamic_objects o ThreatSTOP -r 195.254.186.0 195.254.187.255 -a
DEBUG: /opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 144.206.0.0 144.206.255.255 -a
<--- cut ---->
DEBUG: /opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 222.185.231.246 222.185.231.246 -a

Deleting 1 blocked addresses

Pretended to add 1000 items to the ThreatSTOP Dynamic Object
Pretended to delete 0 items from the ThreatSTOP Dynamic Object

Finished checkpoint_splat.sh update at Wed Apr 4 20:25:41 UTC 2011
Run Length: 0 hour(s) 0 minute(s) 2 second(s)

This gathers your block lists and displays the commands that will be run. No actions are taken to the Dynamic Object when run this way. If everything looks correct, you can run the script without the debug option:

[Expert@cpmodule]# ./checkpoint_splat.sh
Starting checkpoint_splat.sh v1.91 update on Wed Apr 4 20:25:39 UTC 2011

Importing ./threatstop.conf
DNS Server 192.124.129.42 worked
Using DNS Server 192.124.129.42

Processing <block list name>..threatstop.local


Deleting and creating dynamic object ThreatSTOP
/opt/CPsuite-R70/fw1/bin/dynamic_objects -do ThreatSTOP
/opt/CPsuite-R70/fw1/bin/dynamic_objects -n ThreatSTOP

Adding 1000 blocked addresses
/opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 195.254.186.0 195.254.187.255 -a
/opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 144.206.0.0 144.206.255.255 -a
<--- cut ---->
/opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 222.185.231.246 222.185.231.246 -a

Deleting 1 blocked addresses

Added 1000 items to the ThreatSTOP Dynamic Object
Deleted 0 items from the ThreatSTOP Dynamic Object

Finished checkpoint_splat.sh update at Wed Apr 4 20:25:42 UTC 2011
Run Length: 0 hour(s) 0 minute(s) 3 second(s)

This will populate the Dynamic Object with your block lists.
If you want to view the items in the Dynamic Object, run the command:

[Expert@cpmodule]# dynamic_objects -l

The dynamic_objects executable may not be in your path. If the above does not work, run the following, appending R with the version of Check Point you are running. For example, if you are running R71, the command will be:

[Expert@cpmodule]# /opt/CPsuite-R71/fw1/bin/dynamic_objects -l

In addition to the ThreatSTOP object, any other Dynamic Objects that are configured on the system are shown as well.

[Expert@cpmodule]# dynamic_objects l

object name : CPDShield
range 0 : 0.0.0.1       0.0.0.1

object name : ThreatSTOP
range 0 : 0.0.0.2       0.0.0.2
range 1 : 61.183.23.147       61.183.23.147
range 2 : 72.52.200.12       72.52.200.12
range 3 : 77.69.221.0       77.69.221.255
range 4 : 78.177.127.0       78.177.127.255
range 5 : 79.98.49.0       79.98.49.255
<--- cut ---->
range 29 : 216.240.150.0       216.240.150.255
range 30 : 218.201.148.0       218.201.148.255

Operation completed successfully

Create the Check Point Rules

Now that the Dynamic Object is populated, we can create the rules to block traffic from the object. The block rule should be added before any allow rules in the SmartDashboard:

  1. Create a new rule that has the ThreatSTOP object as the source, Any for the Destination and Service, Drop as the Action, and Log as the Track option
    We ask that you name the rules either ThreatSTOP IN or ThreatSTOP OUT. There are two reasons for this:
  2. This allows you to see, or filter, the blocked traffic in the SmartView Tracker more easily, due to the column named Rule Name.
  3. Additionally we are able to more easily determine the direction the blocked traffic is going when we parse the logs. If you choose to use different rule names, your reports may not be as accurate as you want.
  4. If you want to block outbound traffic to the object, create another rule similar to the one you just created, but this time set the Source as Any and the destination the to the ThreatSTOP object.

Clearing the Dynamic Object

If you want to clear the ThreatSTOP Dynamic Object, but do not want to completely remove ThreatSTOP, we have a script that will clear all the addresses from the object, except for one IP address. The object needs to have at least one address to prevent the firewall from blocking all the traffic. After logging in using SSH, issue the following commands:

[Expert@cpmodule]# cd checkpoint_splat
[Expert@cpmodule]# ./empty-do.sh
Starting empty-do.sh v1.91 update on Wed May 4 21:51:33 UTC 2011
Importing ./threatstop.conf
Number of addresses to delete: 31
Deleting 31 blocked addresses
Skipping Shim IP 0.0.0.2
/opt/CPsuite-R70/fw1/bin/dynamic_objects o ThreatSTOP -r 195.254.186.0 195.254.187.255 -d
/opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 144.206.0.0 144.206.255.255 -d
<--- cut ---->
/opt/CPsuite-R70/fw1/bin/dynamic_objects -o ThreatSTOP -r 222.185.231.246 222.185.231.246 -d
Deleted 31 items from the ThreatSTOP Dynamic Object
Finished empty-do.sh update at Wed May 4 21:51:36 UTC 2011
Run Length: 0 hour(s) 0 minute(s) 3 second(s)

Running on a Check Point Cluster

Running the ThreatSTOP scripts on a Check Point Cluster is similar to a single firewall, but there are some differences. Each node in the cluster needs to run the checkpoint_splat.sh script. This is because each node needs to have the ThreatSTOP Dynamic Object created and with at least one address in it. If one of the nodes is not setup and becomes the primary node in the cluster, all traffic will be blocked. This happens because the node does not have the Dynamic Object defined, and Check Point will interpret the object in the rule as 0.0.0.0, which translates to everything.

Instead of running the setup.sh script, you will need to run the setup-ha.sh script which does not create the scheduled job to send the log, but is otherwise identical to setup.sh.

[Expert@cpmodule]# ./setup-ha.sh
Creating ThreatSTOP Dynamic Object

Operation completed successfully

Log update success
====================
Adding Shim IP to Dynamic Object

Operation completed successfully

Log update success
====================
Dynamic Object created successfully.
Here are the currently configured objects:

object name : CPDShield
range 0 : 0.0.0.1       0.0.0.1

object name : ThreatSTOP
range 0 : 0.0.0.2       0.0.0.2

Operation completed successfully
====================

Scheduled job created successfully
List of the currently scheduled jobs
Task: "RotateLogs"
        Command: /sbin/cp_logrotate
        Arguments:
        Interval: 100
        Active: true
        RunAtStart: true
Task: "ThreatSTOP"
        Command: /home/admin/checkpoint-splat/wrapper.sh
        Arguments:
        Interval: 7200
        Active: true
        RunAtStart: false

The script to send the logs needs to be running on the log server to have the firewall logs sent to ThreatSTOP. Depending on how you have your cluster environment setup, the log server could be the management node or a separate server.

On the log server, you will need to copy and extract the scripts and run the setup-ha-logs.sh script. This will only create the scheduled job to send the log.

[Expert@cpmodule]# ./setup-ha-logs.sh

Scheduled job created successfully
List of the currently scheduled jobs
Task: "RotateLogs"
        Command: /sbin/cp_logrotate
        Arguments:
        Interval: 100
        Active: true
        RunAtStart: true
Task: "ThreatSTOP-Log"
        Command: /home/admin/checkpoint-splat/sendlog.sh
        Arguments:
        Interval: 86400
        Active: true
        RunAtStart: false

Once completed, your network is protected with an updated list every two hours.

Restore to Previous State

If you decide to remove ThreatSTOP from your Check Point, you need to proceed in a specific order to make sure that traffic through the firewall is not affected.

  1. From the SmartDashboard, delete all rules that reference the ThreatSTOP Dynamic Object and install the updated policy.
  2. From an SSH connection to the firewall, in expert mode, delete the scheduled job that runs the script that updates the Dynamic Object:

    [Expert@cpmodule]# cpd_sched_config delete ThreatSTOP -r

  3. From an SSH connection to the firewall, in expert mode, delete the scheduled job that runs the script that sends the firewall log:

    [Expert@cpmodule]# cpd_sched_config delete ThreatSTOP-Log -r

  4. Delete the ThreatSTOP dynamic object:

    [Expert@cpmodule]# dynamic_objects -do ThreatSTOP

  5. Optionally delete the directory with the scripts:

    [Expert@cpmodule]# rm -rf checkpoint_splat