Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rui_Gomes_PT
Contributor

R81 - External IOC feeds

Hi,

 

Trying to add an external IOC feed in R81

ioc1.png

 

I get an error regarding the ssl certificate. Is there a way to import de CA cert?

ioc2.png

 

Thanks!

0 Kudos
5 Replies
Tal_Paz-Fridman
Employee
Employee

Use an actual Custom Intelligence Feed site and it will work. Refer to sk132193 "What is the "Custom Intelligence Feeds" feature?"

External Indicator.png

0 Kudos
Rui_Gomes_PT
Contributor

Hi,

I already know that sk. We are using a internal site to add our ioc. It works if I follow the sk132193, but on the smart console (in R81) I get an error

0 Kudos
Tal_Paz-Fridman
Employee
Employee

@Youssef_Obeidal can you look at this - failure validating a certificate from an internal site. 

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 

well use this:
"For HTTPS remote feeds, if the certificate update process failed, you can skip the certificate verification. Run: export EXT_IOC_NO_SSL_VALIDATION=1 on the Security Gateway."

choose https for transport:
ioc_feeds add --feed_name XXXYYYZZZ--transport https --resource "https://XXXYYYZZZ" --format [value:1,type:ip]

this should help!

0 Kudos
Mstay
Explorer

Team

I will make a brief summary about this issue and the results of the case with the TAC.

 

Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not.  We had 4 different environments with SMS in R81.10 and GWS R80.40

It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs

From SK this part is confuse

Installation

The feature is integrated in version R80.30 and above.

Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.

We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.

We also realized in all the environment we tested this file could not be found when you troubleshoot

$FWDIR/log/ext_ioc_push.elg

I think with all the tests we made,  there is a lot of information from the case we had to edit the SK and help the community.

Cheers

 

0 Kudos