Re: [FW-1] SmartDefense CPDShield Question

Subject:	Re: [FW-1] SmartDefense CPDShield Question
From:	Rob Schrack <rob_schrack AT URMC.ROCHESTER DOT EDU>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Sat, 20 Dec 2003 18:20:05 -0500

I noticed that it broke any rule that used a security server until it
actually downloaded the block list.

What worked for me (NG AI):

On the enforcement point
1) stormc config down
2) cpstop ; cpstart

On the management module
1) stormc config up
2) cpstop ; cpstart
3) Install a policy with a disabled rule for the CPDShield dynamic object ->
any drop & log
4) let it run until you see an entry or two in your logs that the block list
was downloaded, ie
Number:       111111
Date:            20Dec2003
Time:            15:42:18
Product:       VPN-1 & FireWall-1
Origin:          firewall module
Type:            Log
Action:
Information: StormAgentName: CPDShield
                     StormAgentAction: IP blocklist updated with the
following:
                     StormAgentMsg: 200.195.204.0 - 200.195.204.255,
209.96.247.0 - 209.96.247.255, 200.195.205.0 - 200.195.205.255,
211.253.213.0 - 211.253.213.255, 217.226.207.0 - 217.226.207.255,
67.251.233.0 - 67.251.233.255, 80.143.255.0 - 80.143.255.255, 80.102.0.0 -
80.102.0.255, 216.39.174.0 - 216.39.174.255, 217.233.102.0 -
217.233.102.255, 208.186.178.0 - 208.186.178.255, 80.139.213.0 -
80.139.213.255, 24.172.54.0 - 24.172.54.255, 65.35.27.0 - 65.35.27.255,
172.131.106.0 - 172.131.106.255, 217.83.134.0 - 217.83.134.255,
66.108.30.0 - 66.108.30.255, 209.6.147.0 - 209.6.147.255, 195.46.37.0 -
195.46.37.255, 66.232.140.0 - 66.232.140.255,


Use a filter on the Information field that Field Contains CPDShield.  Once
it's updated, enable the rule & push the policy.  Any drops will be seen in
the logs for that rule number.  We don't seem to get a lot of hits from the
blocked addresses tho (ie 3 drops in the last six hours out of the 90,000+
dropped records we've externally uploaded)

I've been told that the upload feature isn't quite there yet.  It appears to
be working according to the log files, but they never register with dshield.
It should be corrected "any day now" according to someone at SANS.

Hope this helps

Rob

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] SmartDefense CPDShield Question, Michael Gaughan Re: [FW-1] SmartDefense CPDShield Question, Rob Schrack <= Re: [FW-1] SmartDefense CPDShield Question, Michael Gaughan Re: [FW-1] SmartDefense CPDShield Question, Michael Gaughan

Previous by Date:	[FW-1] SmartDefense CPDShield Question, Michael Gaughan
Next by Date:	[FW-1] Replacing Intrusin PDS., Mohamed Abdelsalam
Previous by Thread:	[FW-1] SmartDefense CPDShield Question, Michael Gaughan
Next by Thread:	Re: [FW-1] SmartDefense CPDShield Question, Michael Gaughan
Indexes:	[Date] [Thread] [Top] [All Lists]