Solved: Re: Custom Intelligence Feed Exceptions Not Workin... - Page 2

Mike_Jensen · ‎2024-01-05

I am running R81.10 with GA JHA take 130 installed on my gateways and SMS.

I have a External Custom Intelligence Feed named Talos_blacklist configured on my gateway cluster via the CLI.

I have a IP that is on that blacklist that gets by design of the feature.

However I need to make an exception for this IP address and everything I have tried in SmartConsole does not work, traffic to the IP in question is still dropped due to my Talos_blacklist.

In the example with my screen shots the source is 10.1.1.10 > 185.242.113.224 (black listed IP). From the log card I have selected add an exception, select the defaults, the exception is created (see screen shot), I install threat prevention policy and traffic is still blocked from my source to the destination due to the Talos_blacklist.

I have also tried creating my own threat prevention rule and assigning the source and/or destination to a dummy no threat prevention policy that doesn't have any TP enabled and that does not work as well.

Is it possible to make exceptions for IP's on External Custom Intelligence Feed's and if so how can I create one that will work?

Thank you in advance.

TPExpert · ‎2024-06-29

Hey,

We will check it and provide an update. Thanks!

TPExpert · ‎2024-01-08

Hey,

We just released this functionality in R81.20 JHF Take 43.

If you need this on top of R81/R81.10 JHF, you will be able to use this feature in the upcoming jumbo release.

Unfortunately the IP exclusion feature is not supported via the SmartConsole for now.

In order to add IP exclusions, please locate a file containing a list of IP addresses with an end-of-line delimiter at $FWDIR/conf/ip_whitelist.eng.

IP addresses in the ip_whitelist.eng file will be exempt from enforcement actions, regardless of their presence in any of the threat intelligence feeds.

Mike_Jensen · ‎2024-01-08

Hi,

Thank you for the information.

For an exclusion in R81.10 to we change the ip_whitelist.eng file on the security gateway or the SMS?

Can you please provide an example for the syntax to add a IP as a end-of-line delimiter?

TPExpert · ‎2024-01-08

Hey.

The file should be located on the security gateway.

Example of ip_whitelist.eng:

192.0.2.146

192.0.2.147

192.0.2.148

Mike_Jensen · ‎2024-01-08

Hi @TPExpert ,

I opened ip_whitelist.eng in vi editor, added a IP on my custom intelligence feed, write quite, installed tp policy, and traffic to that IP is still prevented.

TPExpert · ‎2024-01-08

As I wrote in my first comment, it wasn't released yet in R81 and R81.10. I guess that it will be integrated in the next jumbo release.

Mike_Jensen · ‎2024-01-08

Sorry I misunderstood. Thank you for the clarification. I will wait for the next hotfix for 81.10.

Tobias_Moritz · ‎2024-01-08

@TPExpert : It would be nice if this would be documented in R81.20 Threat Prevention Administration Guide and sk132193.

I was told by TAC (DEBUG), that the new architecture for custom IOC feeds, which was introduced in R81.20, is much more robust and supports at least 2 million patterns/observables is only used when importing custom IOC feeds through SmartConsole, not using the old way over CLI.

So this raises the question, if this new ip_whitelist.eng file is working for both SmartConsole and CLI feeds, or only SmartConsole.

TPExpert · ‎2024-01-10

Hello Tobias,

Correct, the new functionality is applied for both types of feeds; locally managed CLI.

We will update the SK with the relevant information.

Thanks!

Are you a member of CheckMates?

Custom Intelligence Feed Exceptions Not Working