Has anyone successfully used the CrowdSec blocklist integration with a Check Point firewall IOC feed? Checkpoint | CrowdSec
The documentation is pretty straight forward but it fails to pull the IOC feed. When putting the feed URL into a browser, I get an error “{“message”:“Unauthorized”}”.
https://<username>:<password>@admin.api.crowdsec.net/v1/integrations/<integration_id>/content
It doesn’t matter whether I use the Check Point integration or Raw IP list because I receive the same error. The Feed URL picture in the documentation also does not match the format listed.
There might be an issue with your firewall, as some versions of checkpoint fail to do basic authentication correctly and is a known bug that they patched in later versions of the firewall.
if you currently have a supported firewall check for patches or updates that can be applied.
edit: if you get unauthorized via browser then it could be that the username or password are incorrect try regenerating it via the console interface to eliminate copy and paste errors.
Still getting unauthorized via browser. I’ve regenerated username and password several times. I should also note that I am subscribed to a blocklist so that shouldn’t be an issue. I’m thinking that once I can verify the URL works in a browser, I can troubleshoot Check Point if needed. Thanks!
As a follow-up, can anyone verify they can successfully view a integration/blocklist using a web browser?
i.e. https://<username>:<password>@admin.api.crowdsec.net/v1/integrations/<integration_id>/content
or
curl -u ‘username:password’ https://admin.api.crowdsec.net/v1/integrations/${content_id}/content
I’ve tested this multiple times over different (public) networks and continue to receive a 401 error {“message”:“Unauthorized”}. I’ve also regenerated my credentials several times.
Hi,
Did you ever get this solved? I’m having the same exact problem.
Jamie
I never was able to integrate indirectly with our Check Point firewall. Instead, I spun up a blocklist mirror and ingested it that way.
Hi @boombies . Thank you for replying! May I ask how you were able to ‘retrieve’ the Crowdsec blocklist when you couldn’t even retrieve them via a web browser or curl? That’s what I’m actually stuck on - I’m getting the same ‘unauthorized’ message in my browser (tried multiple browsers) Also, would you mind elaborating a little bit on how you spun up your own mirror?
Jamie
I cant help specifically with the details, but most like @boombies is using cs-blocklist-mirror. When you go to create the integration on the console select the “Remediation Component” option and where the configuration asks for “LAPI” stuff you use the ones the console provides. lapi_key, lapi_url etc etc.
a quick tldr this component acts as a http endpoint for your firewall (so instead of your firewall points to crowdsec api, it points to the lan address of where this component is running), it had some additional options like aggregate which merges ips into cidr ranges if your firewall supports it reducing the blocklist size for those firewall that have limits.
fyi I dont work for crowdsec anymore was just dropping by so cant help much more than this
@iiAmLoz - Thank you for that info. No worries on not being to give all the details, I appreciate what you were able to give. It’s something for me to look into / get started on.
Thanks,
Jamie
That’s right @iiAmLoz. I setup a small debian server and configured it as a blocklist mirror so it presents on the network as something like “http://192.168.1.5/security/blocklist”. @jnavarro As for Check Point, I initially ingested the blocklist using the ‘indicators’ section on the threat prevention blade. This works most of the time but I also found that it stops working periodically (without warning) for which I have tickets open with Check Point. I have since moved to creating network feeds and applying them directly to the firewall policy as described in this link: Network feed - Check Point CheckMates . This has worked for me and is useful if you’re not running antivirus or antibot blades. Hope that helps.