This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Gomes_PT
Contributor
‎2020-11-11 03:24 AM

R81 - External IOC feeds

Hi,

 

Trying to add an external IOC feed in R81

ioc1.png

 

I get an error regarding the ssl certificate. Is there a way to import de CA cert?

ioc2.png

 

Thanks!

0 Kudos
5 Replies
Tal_Paz-Fridman
Employee
Employee
‎2020-11-11 03:55 AM

Use an actual Custom Intelligence Feed site and it will work. Refer to sk132193 "What is the "Custom Intelligence Feeds" feature?"

External Indicator.png

0 Kudos
Rui_Gomes_PT
Contributor
‎2020-11-11 04:29 AM
In response to Tal_Paz-Fridman

Hi,

I already know that sk. We are using a internal site to add our ioc. It works if I follow the sk132193, but on the smart console (in R81) I get an error

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2020-11-11 04:43 AM
In response to Rui_Gomes_PT

@Youssef_Obeidal can you look at this - failure validating a certificate from an internal site. 

0 Kudos
Thomas_Eichelbu
Advisor
‎2021-08-26 01:42 AM
In response to Tal_Paz-Fridman

Hello, 

well use this:
"For HTTPS remote feeds, if the certificate update process failed, you can skip the certificate verification. Run: export EXT_IOC_NO_SSL_VALIDATION=1 on the Security Gateway."

choose https for transport:
ioc_feeds add --feed_name XXXYYYZZZ--transport https --resource "https://XXXYYYZZZ" --format [value:1,type:ip]

this should help!

0 Kudos
Mstay
Explorer
‎2022-01-14 05:04 AM
In response to Thomas_Eichelbu

Team

I will make a brief summary about this issue and the results of the case with the TAC.

 

Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not.  We had 4 different environments with SMS in R81.10 and GWS R80.40

It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs

From SK this part is confuse

Installation

The feature is integrated in version R80.30 and above.

Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.

We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.

We also realized in all the environment we tested this file could not be found when you troubleshoot

$FWDIR/log/ext_ioc_push.elg

I think with all the tests we made,  there is a lot of information from the case we had to edit the SK and help the community.

Cheers

 

0 Kudos