This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Jensen
Advisor
‎2024-01-05 08:52 AM
Jump to solution

Custom Intelligence Feed Exceptions Not Working

I am running R81.10 with GA JHA take 130 installed on my gateways and SMS.

I have a External Custom Intelligence Feed named Talos_blacklist configured on my gateway cluster via the CLI.

I have a IP that is on that blacklist that gets by design of the feature.

However I need to make an exception for this IP address and everything I have tried in SmartConsole does not work, traffic to the IP in question is still dropped due to my Talos_blacklist.

In the example with my screen shots the source is 10.1.1.10 > 185.242.113.224 (black listed IP).  From the log card I have selected add an exception, select the defaults, the exception is created (see screen shot), I install threat prevention policy and traffic is still blocked from my source to the destination due to the Talos_blacklist.

I have also tried creating my own threat prevention rule and assigning the source and/or destination to a dummy no threat prevention policy that doesn't have any TP enabled and that does not work as well.

Is it possible to make exceptions for IP's on External Custom Intelligence Feed's and if so how can I create one that will work?

Thank you in advance.

Preview file
51 KB
Preview file
26 KB
0 Kudos
35 Replies
TPExpert
Employee
Employee
‎2024-01-08 01:11 PM
In response to Mike_Jensen
Jump to solution

Hey.

The file should be located on the security gateway.

Example of ip_whitelist.eng:

192.0.2.146

192.0.2.147

192.0.2.148

 

0 Kudos
Mike_Jensen
Advisor
‎2024-01-08 01:22 PM
In response to TPExpert
Jump to solution

Hi @TPExpert ,

I opened ip_whitelist.eng in vi editor, added a IP on my custom intelligence feed, write quite, installed tp policy, and traffic to that IP is still prevented.

0 Kudos
TPExpert
Employee
Employee
‎2024-01-08 01:24 PM
In response to Mike_Jensen
Jump to solution

As I wrote in my first comment, it wasn't released yet in R81 and R81.10. I guess that it will be integrated in the next jumbo release.

0 Kudos
Mike_Jensen
Advisor
‎2024-01-08 01:29 PM
In response to TPExpert
Jump to solution

Sorry I misunderstood.  Thank you for the clarification.  I will wait for the next hotfix for 81.10.

0 Kudos
Tobias_Moritz
Advisor
‎2024-01-08 11:55 PM
In response to TPExpert
Jump to solution

@TPExpert : It would be nice if this would be documented in R81.20 Threat Prevention Administration Guide  and sk132193.

I was told by TAC (DEBUG), that the new architecture for custom IOC feeds, which was introduced in R81.20, is much more robust and supports at least 2 million patterns/observables is only used when importing custom IOC feeds through SmartConsole, not using the old way over CLI.

So this raises the question, if this new ip_whitelist.eng file is working for both SmartConsole and CLI feeds, or only SmartConsole.

0 Kudos
TPExpert
Employee
Employee
‎2024-01-10 12:32 AM
In response to Tobias_Moritz
Jump to solution

Hello Tobias,

Correct, the new functionality is applied for both types of feeds; locally managed CLI.

We will update the SK with the relevant information.

 

Thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events