topic Re: Unable to get IoC working in General Topics

Unable to get IoC working

_khard — Sun, 15 Oct 2023 16:54:36 GMT

Hi All,

I'm trying to play around with External IoC Feeds from .csv file uploaded to the Standalone device (lab setup).

I've successfully uploaded the IoC file which is of Check Point Format .csv

#Uniq-Name	#Value	#Type	#Confidence	#Severity	#Product	#Comment
observ1	*.facebook.com	URL	high	high	AV	"Malicious IP"

Once the file was uploaded, I've even tried to push policy as well. However I'm still able to ping www.facebook.com

I've checked the free disk is more than 40% and memory utilization is around 40%. - Since it was written in the known limitations.

Is there something which I'm missing ?

Re: Unable to get IoC working

the_rock — Sun, 15 Oct 2023 17:03:21 GMT

Send the csv file you used, I will test it in the lab.

Andy

Re: Unable to get IoC working

_khard — Sun, 15 Oct 2023 17:39:47 GMT

Here's the .csv file.

Re: Unable to get IoC working

the_rock — Sun, 15 Oct 2023 18:34:47 GMT

Might do it tomorrow and let you know. Btw, you can easily tell yourself why it fails...just check the logs, route, capture...etc.

Andy

Re: Unable to get IoC working

Chris_Atkinson — Sun, 15 Oct 2023 22:19:55 GMT

@_khard Suggest you take this internally for resolution please.

These spaces are intended for customers / partners to ask questions.

Re: Unable to get IoC working

the_rock — Sun, 15 Oct 2023 23:21:25 GMT

Hey,

Sorry about the delay, my colleagues were doing lots of changes to our lab, so took bit longer than expected. I just tested this, and works fine for me. I have real good R81.20 lab, happy to show you what I did.

Andy

Re: Unable to get IoC working

the_rock — Sun, 15 Oct 2023 23:22:54 GMT

I see what you are saying Chris, but in my opinion, we are all here to help one another. As far as Im concerned, I never care whether its a CP employee or anyone else posting a question, makes no difference to me.

I will always do my best to help, thats all.

Cheers mate.

Andy

Re: Unable to get IoC working

_khard — Mon, 16 Oct 2023 03:15:04 GMT

Hi @the_rock ,

So you're saying that with the file I provided your internal network machines were not able to ping/telnet *.facebook.com ?

Yes, if you could show me that would be great. Let me know how you want to connect.

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 03:20:01 GMT

No...what Im saying is I was going to facebook fine from machine behind the lab cluster. I will see if I can get it working right tomorrow.

Good night.

Andy

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 12:41:40 GMT

I got access to the lab, so will try work on this today when I have time. I see that access to facebook is allowed based on layered rules, so I have a feeling there is something else "missing" in order to make IoC feed work properly.

Andy

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 16:11:40 GMT

K, just did some more testing, but no luck. Im occupied with important Fortinet stuff today, but here are my thoughts and I could be mistaken when I say this, but maybe someone else can confirm. I dont believe its enough to just put website/category in there via CSV file for indicator and enable say AV blade and that will auto block those sites. When I test facebook, works fine, though yes, I do have https inspection enabled, but category for FB is NOT blocked, so thats why it works.

Personally, I do NOT think trying to do this via IoC would suffice, since its related to either AV or AB blades, but as far as blocking sites, thats strictly regarding URLF blade.

Again, I could be totally way off here, but thats my logical approach...

Kind regards,

Andy

Re: Unable to get IoC working

_khard — Mon, 16 Oct 2023 16:36:01 GMT

Thank you @the_rock for putting so much effort.

Appreciate your help.

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 16:37:19 GMT

Any time mate, pleasure to help the best I can. Please let us know what you find.

Andy

Re: Unable to get IoC working

PhoneBoy — Mon, 16 Oct 2023 22:09:16 GMT

IoC feeds are enforced by the AntiBot/AntiVirus blades, which I don't think block ICMP.
Best to use Network Feeds in R81.20, which can be directly used in the Access Policy.

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 22:22:59 GMT

@PhoneBoy Can IoC indicator be used to block specific URL?

Andy

Re: Unable to get IoC working

PhoneBoy — Mon, 16 Oct 2023 23:12:14 GMT

Yes, the example in sk132193 even includes one (subject to HTTPS Inspection configuration).

Re: Unable to get IoC working

the_rock — Mon, 16 Oct 2023 23:17:48 GMT

No idea what Im missing then...

Re: Unable to get IoC working

the_rock — Tue, 17 Oct 2023 18:36:17 GMT

Hey @_khard

Got it working with help of my good colleague. So, we checked the config and he said to me "Hey, is it possible wildcard is not allowed in ioc file?" and I was thinking, hm, he has a point and BAM, as soon as we replaced *.facebook.com with www.facebook.com, deleted the ioc feed and reimported the file, all worked like a charm.

I attached the file with screenshots.

You may want to submit RFE for this, since you work for CP, so it would probably mean more coming from you than me LOL

Anyway, file attached and if you have any more questions, happy to show you my lab, it has most things configured in it.

Kind regards,

Andy

Re: Unable to get IoC working

the_rock — Tue, 17 Oct 2023 23:32:38 GMT

Also, forgot to say, though Im sure you know this, you can customize block page with different logos and messages (its under user check objects in object explorer and it can be set as per TP profile policy).

Andy

Re: Unable to get IoC working

_khard — Wed, 18 Oct 2023 06:03:32 GMT

Hi @the_rock, Thanks for pointing this one out. I went through the documentation again and saw it doesn't support non-fqdns like network feeds does.

Thank you again for your support.