- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello, Mates.
I have an environment of several VSX Clusters, which are managed from an MDS.
We currently have many Perimeter FWs, and when we have certain IPs reported as “Malicious”, we have the need to block them in explicit rules that we already have created in each of the FWs.
The problem with doing it manually, is that this task “takes a lot of time”, and we want to use some automated way to be able to execute this task.
Is there any way in the Check Point solutions, that allows us to have a more “automated” environment for this type of tasks?
Thanks for your comments.
Btw, figured would update you on this post as well...tested R82 vsx for network feeds, no issues.
Andy
Ola bro,
How are you? Have a look at my post from last year, hope it can help you. Network feeds do NOT require av or ab blades enabled. I would say to begin with, do NOT use stamparm1 and emerg feeds, others are fine, stamparm 2-8.
https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317
Best,
Andy
Hello, my friend.
Some of my Perimeter FWs do have the AV and AB blades enabled, but others do NOT.
Would this way of working with the “Network Feed” work as well in the FWs that have these blades enabled?
Greetings.
Yes sir, 100%. Regardless whether you have those blades enabled or not, network feeds work fine. I would make sure you have R81.20 installed, as it lets you test the feeds beforehand. Just for the context, I work often with a smaller hospital (I mean, for comparison, its not the size of Ankara city hospital in Turkey, nothing like that lol), but they were doing the same method for a long time like what you described, adding IPs manually.
I showed them the same post, they added ALL the feeds, in 3 days, they had more than 10 million hits, while before implementing net feeds, there was about 25k hits in 1 year.
Andy
And is it possible that even using this method, if it is necessary to add some IPs that report as “Malicious” to our monitoring area, we can somehow add them to the referral “sources”?
For example, you get 3 super strange “Malicious” IPs reported to you.
48.190.1.5
35.120.2.2
191.2.2.4
(Just to give you an example), and you are already using the Network Feeds.
Can these IPs be “tied” to this “Network Feeds” operation? Or would you have to manually create explicit rules to block these particular IPs?
Thats right...though, you can search for any given IP when opening the links I posted, same way you can do ctrl+F to search for anything in text file of web page. Keep in mind, any net feed is updated automatically, so you dont have to do anything yourself.
Andy
Btw, even if you have any gateways on R80.xx, those can also do net feeds, but I definitely suggest they be on R81.20, if possible, to utilize all the available options.
Andy
Btw, figured would update you on this post as well...tested R82 vsx for network feeds, no issues.
Andy
@Matlu If you need me to test anything else in the lab, please let me know.
Andy
Just a word of caution though...maybe dont add all of net feeds I provided at once, start with 2 or 3 and then give it couple of days and see how many hits you get, just to make sure there are not inadvertent effects.
Andy
From the list of .txt file options, which option do you recommend to use in my ‘Network Feeds’?
Hey bro,
Here is the thing. My best suggestion is if you are unsure, always test any IP you are concerned about in below link, its very accurate. We always use it to check those things. Besides, only way to really know is to apply the feed, block it in policy, and then observe and see.
Andy
Another helpful link I found.
Andy
https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds?tab=readme-ov-file
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
19 | |
12 | |
7 | |
6 | |
5 | |
4 | |
4 | |
4 | |
4 | |
4 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY