This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chiranj_support
Explorer
‎2024-06-06 06:01 AM
Jump to solution

How to do Bulk uploads of IOC IP's and URL's files in Checkpoint firewall

Hi Everyone

 

How to upload bulk updates of IOC URL file in checkpoint firewall instead of manual update one by one url

 

In Palo-alto firewall EDL option for Bulk update 10,000 IP Address

 

In checkpoint gateway is there any option similar like EDL if avail, guide the process 

 

Regards,

Chiranjeevi

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-06-06 07:22 AM
In response to delToro1
Jump to solution

That works if the feed is published by some web server. If it's a file on a local machine and you don't have it on a web server the firewalls can access, the management API will still work.

View solution in original post

6 Replies
delToro1
Contributor
‎2024-06-06 06:48 AM
Jump to solution

Hello mate,

 

Review that post about IOCs: https://community.checkpoint.com/t5/Security-Gateways/IOC-feeds/m-p/212021#M40210

 

BR.

(1)
the_rock
MVP Platinum
MVP Platinum
‎2024-06-06 07:10 AM
In response to delToro1
Jump to solution

Always funny to see my own post lol. Anyway, I think thats best method I found so far, but if anyone has better one, be free to share.

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-06-06 07:22 AM
In response to delToro1
Jump to solution

That works if the feed is published by some web server. If it's a file on a local machine and you don't have it on a web server the firewalls can access, the management API will still work.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2024-06-06 06:49 AM
Jump to solution

I would probably use the management API to make a series of Application/Site objects (Ideally around 200 domains per object) which you then stick in an Application/Site Group object or an Application/Site Category. You can use an existing category like "Critical Risk". This can only filter HTTP-like traffic, so if you need to filter SSH, it won't work. It requires either HTTPS Inspection or the "Categorize HTTPS sites" setting to be enabled. Depending on how the objects are made, they may match more traffic than intended (for example, blocking *.ar could block a file named 32x32.left.arrow.png). I did some match expression testing last year, which can help create specific matching expressions.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-06 01:16 PM
Jump to solution

If R81.20, you can use Network Feeds, which can be used in both Access Control and Threat Prevention policies.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

For earlier releases, you're probably looking at using ioc_feeds.
However, if you are importing a lot of IoCs, you should really upgrade to R81.20 as the infrastructure for this has improved dramatically.
We've tested ~2 million IoCs and had no issues.
The limit in R81.10 and earlier is...much lower.

the_rock
MVP Platinum
MVP Platinum
‎2024-06-06 01:19 PM
In response to PhoneBoy
Jump to solution

@chiranj_support 

Im "throwing" another post of mine then lol

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events