Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_khard
Employee Alumnus
Employee Alumnus
Jump to solution

Unable to get IoC working

Hi All, 

I'm trying to play around with External IoC Feeds from .csv file uploaded to the Standalone device (lab setup).

I've successfully uploaded the IoC file which is of Check Point Format .csv

#Uniq-Name #Value #Type #Confidence #Severity #Product #Comment
observ1 *.facebook.com URL high high AV "Malicious IP"

 

Once the file was uploaded, I've even tried to push policy as well. However I'm still able to ping www.facebook.com

I've checked the free disk is more than 40% and memory utilization is around 40%. - Since it was written in the known limitations. 

 

Is there something which I'm missing ? 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Hey @_khard 

Got it working with help of my good colleague. So, we checked the config and he said to me "Hey, is it possible wildcard is not allowed in ioc file?" and I was thinking, hm, he has a point and BAM, as soon as we replaced *.facebook.com with www.facebook.com, deleted the ioc feed and reimported the file, all worked like a charm.

I attached the file with screenshots.

You may want to submit RFE for this, since you work for CP, so it would probably mean more coming from you than me LOL

Anyway, file attached and if you have any more questions, happy to show you my lab, it has most things configured in it.

Kind regards,

Andy

View solution in original post

0 Kudos
20 Replies
the_rock
Legend
Legend

Send the csv file you used, I will test it in the lab.

Andy

0 Kudos
_khard
Employee Alumnus
Employee Alumnus

Here's the .csv file. 

0 Kudos
the_rock
Legend
Legend

Might do it tomorrow and let you know. Btw, you can easily tell yourself why it fails...just check the logs, route, capture...etc.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

@_khard Suggest you take this internally for resolution please. 

These spaces are intended for customers / partners to ask questions.

CCSM R77/R80/ELITE
0 Kudos
(3)
the_rock
Legend
Legend

I see what you are saying Chris, but in my opinion, we are all here to help one another. As far as Im concerned, I never care whether its a CP employee or anyone else posting a question, makes no difference to me.

I will always do my best to help, thats all.

Cheers mate.

Andy

0 Kudos
the_rock
Legend
Legend

Hey,

Sorry about the delay, my colleagues were doing lots of changes to our lab, so took bit longer than expected. I just tested this, and works fine for me. I have real good R81.20 lab, happy to show you what I did.

Andy

0 Kudos
_khard
Employee Alumnus
Employee Alumnus

Hi @the_rock , 

So you're saying that with the file I provided your internal network machines were not able to ping/telnet *.facebook.com ?

Yes, if you could show me that would be great. Let me know how you want to connect. 

0 Kudos
the_rock
Legend
Legend

No...what Im saying is I was going to facebook fine from machine behind the lab cluster. I will see if I can get it working right tomorrow.

 

Good night.

Andy

0 Kudos
the_rock
Legend
Legend

I got access to the lab, so will try work on this today when I have time. I see that access to facebook is allowed based on layered rules, so I have a feeling there is something else "missing" in order to make IoC feed work properly.

Andy

0 Kudos
the_rock
Legend
Legend

K, just did some more testing, but no luck. Im occupied with important Fortinet stuff today, but here are my thoughts and I could be mistaken when I say this, but maybe someone else can confirm. I dont believe its enough to just put website/category in there via CSV file for indicator and enable say AV blade and that will auto block those sites. When I test facebook, works fine, though yes, I do have https inspection enabled, but category for FB is NOT blocked, so thats why it works.

Personally, I do NOT think trying to do this via IoC would suffice, since its related to either AV or AB blades, but as far as blocking sites, thats strictly regarding URLF blade.

Again, I could be totally way off here, but thats my logical approach...

Kind regards,

Andy

0 Kudos
_khard
Employee Alumnus
Employee Alumnus

Thank you @the_rock for putting so much effort.

Appreciate your help.

 

0 Kudos
the_rock
Legend
Legend

Any time mate, pleasure to help the best I can. Please let us know what you find.

Andy

0 Kudos
the_rock
Legend
Legend

Hey @_khard 

Got it working with help of my good colleague. So, we checked the config and he said to me "Hey, is it possible wildcard is not allowed in ioc file?" and I was thinking, hm, he has a point and BAM, as soon as we replaced *.facebook.com with www.facebook.com, deleted the ioc feed and reimported the file, all worked like a charm.

I attached the file with screenshots.

You may want to submit RFE for this, since you work for CP, so it would probably mean more coming from you than me LOL

Anyway, file attached and if you have any more questions, happy to show you my lab, it has most things configured in it.

Kind regards,

Andy

0 Kudos
_khard
Employee Alumnus
Employee Alumnus

Hi @the_rock, Thanks for pointing this one out. I went through the documentation again and saw it doesn't support non-fqdns like network feeds does. 

Thank you again for your support. 

0 Kudos
the_rock
Legend
Legend

Sure, no problem, glad to help.

Andy

0 Kudos
the_rock
Legend
Legend

Also, forgot to say, though Im sure you know this, you can customize block page with different logos and messages (its under user check objects in object explorer and it can be set as per TP profile policy).

Andy

0 Kudos
PhoneBoy
Admin
Admin

IoC feeds are enforced by the AntiBot/AntiVirus blades, which I don't think block ICMP.
Best to use Network Feeds in R81.20, which can be directly used in the Access Policy.

0 Kudos
the_rock
Legend
Legend

@PhoneBoy Can IoC indicator be used to block specific URL?

Andy

0 Kudos
PhoneBoy
Admin
Admin

Yes, the example in sk132193 even includes one (subject to HTTPS Inspection configuration).

0 Kudos
the_rock
Legend
Legend

No idea what Im missing then...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events