Hi,

I am running R81.10  in the SMS.

URLS used for feed (or https). http://secureupdates.checkpoint.com/IP-list/TOR.txt 

Custom feed settings

 Value 1 and type IP Address

Enabled Blades: Full Threat Prevention

curl_cli -v http://secureupdates.checkpoint.com/IP-list/TOR.txt  for SMS, GW Successfully 

I am able to download properly the txt from the PC running Smart Console

Checked all the suggestions made in

https://community.checkpoint.com/t5/Management/How-to-block-traffic-coming-from-known-malicious-IP-a...

I am not able to see the state of the Fetchs by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).

Do i missing something?

Regards

check "feed" in the logs. make sure you have enabled the indicators usage in the TP profile.

also you can check in the GW if it got the feeds under /opt/CPsuite-R81.10/fw1/external_ioc/<your feed name>

On the gateway, check "ioc_feeds show" to see the state and how the IOC-feeds are configured.

As @Nir_Shamir wrote, $FWDIR/external_ioc/ should contain a folder for each feed with the downloaded content...

Looking at the timestamp of the files in the folder and the MD5 in the _version file should tell you when the content was last loaded...

Cheers

Team

I will make a brief summary about this issue and the results of the case with the TAC.

Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not.  We had 4 different environments with SMS in R81.10 and GWS R80.40

It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs

From SK this part is confuse

Installation

The feature is integrated in version R80.30 and above.

Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.

We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.

We also realized in all the environment we tested this file could not be found when you troubleshoot

$FWDIR/log/ext_ioc_push.elg

I think with all the tests we made,  there is a lot of information from the case we had to edit the SK and help the community.

Cheers

Thanks, that command was useful to find out what the feeds see.

Question for anyone - is the "Observables" tab supposed to be empty when using an external IOC (txt file)?
Using a CSV (Manual updated) I was able to see each entry but I am trying to automate this, so the feeds pull automatically without updating the local CSV I had made.
I added the custom settings, and it seems to be pulling feeds based on the results of "$FWDIR/external_ioc/*feed_name*.

I have the same question about the Observables tab, I've a working IOC feed config but the Observables tab is empty, @r1der were you able to get an answer about the Observables tab?

you won't see the observables on that tab when you have an automatic IOC configured.

they can only be seen on the GW's under FWDIR/external_ioc/feed_name_folder 

It is not visible in SmartConsole. @Nir_Shamir posted the location on accessing it via ssh.

Optionally, you can view it by WinSCP and open the text files.