Create ASA Firewall rule from Talos IP Blacklist
Table of contents
Talos IP Blocklist
Talos provides a good IP blacklist on their web site. To improve the security of my network I would like to use those IP addresses and block them on my ASA firewall. The blacklist contains round about 1600 lines with IP addresses, to transform them into firewall rules for my ASA will be a lot of manual work.
Script to create Firewall ACL
But: We have computers, so let’s have a computer do this work. A simple bash script will download the blacklist and generates the output which I can copy and paste to my ASA firewall. Please note: I’m also looking for a semicolon in case another blacklist is used and if it’s contain more columns separated by semicolon.
#!/bin/bash
wget -q https://talosintelligence.com/documents/ip-blacklist
ipblack=( $(cut -d ';' -f2 ip-blacklist ) )
echo "conf t"
for ip in "${ipblack[@]}"
do
echo "name $ip TALOS_BLACKLIST_$ip"
done
echo "no object-group network TALOS_BLACKLIST"
echo "object-group network TALOS_BLACKLIST"
for ip in "${ipblack[@]}"
do
echo "network-object host $ip"
done
echo "!"
echo "exit"
Run Script
I’m saving above script in the file “talos-ipblacklist.sh” and make it executable. Then I can call the script by:
./talos-ipblacklist.sh > talos-blacklist.cfg
Copy config to ASA Firewall
I copy and paste the output via SSH to my ASA firewall where those should appear in “Firewall > Objects > Network Objects / Groups”. Then I create the two rules for my two VLAN’s to use the TALOS_BLACKLIST as shown below:
By doing a TELNET to one of those IP addresses the hit counter should increase which means the firewall rules are working. That’s it.