This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_khard
Employee Alumnus
Employee Alumnus
‎2023-10-13 11:04 AM
Jump to solution

What is the difference between Custom Intelligence feed and Network Feeds ?

What is the difference between Custom Intelligence feed and Network Feeds ?

 

Both are used to push IP/domains which one needs to block without policy installation. 

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-10-13 12:26 PM
Jump to solution

Custom intelligence feeds are basically a block list for AntiVirus/AntiBot Blades, which are required to use this feature.
Network Feeds can be used in the Access Policy (in addition) and only requires Firewall blades.
Neither require a policy push to update.

Regardless of which method you use, if you have a lot of IoCs, R81.20 is a better choice as it supports millions of IoCs.

View solution in original post

(1)
_khard
Employee Alumnus
Employee Alumnus
‎2023-10-14 11:32 AM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy  for your response. I could see that the Custom Intelligence Feed supports MD5(files) as well; which aren't supported in the external network feeds. 

I think basically if someone has NGFW lic - they could use it in access policy and if someone has NGTP lic - better to use Custom Intelligence Feeds. 

View solution in original post

0 Kudos
13 Replies
the_rock
Legend
Legend
‎2023-10-13 11:17 AM
Jump to solution

https://support.checkpoint.com/results/sk/sk132193

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

I would say biggest difference is that with network feeds, you CAN enforce fqdn, unlike with IOC you cant (not to be confused with International Olympic commitee lol)

Hope that helps.

Andy

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-13 12:26 PM
Jump to solution

Custom intelligence feeds are basically a block list for AntiVirus/AntiBot Blades, which are required to use this feature.
Network Feeds can be used in the Access Policy (in addition) and only requires Firewall blades.
Neither require a policy push to update.

Regardless of which method you use, if you have a lot of IoCs, R81.20 is a better choice as it supports millions of IoCs.

(1)
the_rock
Legend
Legend
‎2023-10-13 12:33 PM
In response to PhoneBoy
Jump to solution

Correct me if Im wrong when I say this, but dont you need a rule like below to take full advantage of IOC or is just having them in smart console enough?

Andy

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-13 01:03 PM
In response to the_rock
Jump to solution

Custom Intelligence Feeds are treated as "block" in AntiVirus/Anti-Bot blades.
There is no other configuration required in SmartConsole.

0 Kudos
the_rock
Legend
Legend
‎2023-10-13 01:10 PM
In response to PhoneBoy
Jump to solution

K, so just to make sure Im not missing anything...are you saying IF av blade is enabled on the firewall, and also on TP profile, then generic data center objects dont need to be added to any security rule?

Andy

 

Screenshot_1.png

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-13 05:00 PM
In response to the_rock
Jump to solution

Generic data centre objects are used differently from IOC feeds.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-10-13 05:09 PM
In response to Chris_Atkinson
Jump to solution

Thanks Chris, I was confusing some things here, long night last night troubleshooting Cisco switch lol

Anyway, I think Im good now...have a nice weekend mate.

Andy

_khard
Employee Alumnus
Employee Alumnus
‎2023-10-14 11:32 AM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy  for your response. I could see that the Custom Intelligence Feed supports MD5(files) as well; which aren't supported in the external network feeds. 

I think basically if someone has NGFW lic - they could use it in access policy and if someone has NGTP lic - better to use Custom Intelligence Feeds. 

0 Kudos
the_rock
Legend
Legend
‎2023-10-14 03:48 PM
In response to _khard
Jump to solution

That makes sense.

0 Kudos
Matlu
Advisor
‎2025-07-01 05:59 PM
In response to PhoneBoy
Jump to solution

Hi @PhoneBoy 

What is the correct way to block a list of Malicious IPs that come to us in daily newsletters like IoC?

We have a VSX environment where our VS, some of them, have Threat Prevention enabled (IPS/AV/AB)

So, if we have these Blades available is using IoC Feeds the "best option"?

Our “Feed” SOURCE can be a simple Windows server with a txt file that can be ‘updated’ whenever we need with new Malicious IPs?

Thanks for your comments.

0 Kudos
the_rock
Legend
Legend
‎2025-07-01 06:57 PM
In response to Matlu
Jump to solution

Hey bro,

FWIW, I personally recommend people use info from below (network feeds), since it does NOT need av and/or ab blades enabled.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-02 09:56 AM
In response to the_rock
Jump to solution

Network Feeds have a small issue in VSX: You cannot verify the feed before it saved/activated with a VS.
You have to use a non-VSX gateway for this.
At least that's the case in R81.20, not sure about R82.

IOC Feeds can be used for this purpose also if you have AV/AB blades enabled.

0 Kudos
the_rock
Legend
Legend
‎2025-07-02 10:03 AM
In response to PhoneBoy
Jump to solution

Works in R82. for sure, tested in the lab.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events