- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi everyone.
After spending some time trying to configure (via SmartConsole R81.10) the blocking of IP addresses known as malicious, based on sk103154, I finally managed to make it work.
I was using the Check Point list (https://secureupdates.checkpoint.com/IP-list/TOR.txt) and whenever I looked at the logs I got the error "Feed format problem. Feed format not supported".
The problem is that we are not declaring a file in .csv format.
To solve this problem, just select "IP Address" in the type field, and enter "1" in the "Value" field of the custom feed settings.
Good luck to everyone.
Well done sir, thank you for sharing this. Happy holidays!
Andy
Yes, we were recently exploring the feature/function to block IP using custom IOC as sk132193 described. Most of time the issue we ran into with the feed is format. Since different feed come in different format, each IOC feed need to have the format defined correctly. (In your example, type is IP address, and Value is located on 1st column). In some feed column 1 is name and column 2 is value (IP address).
Do you have any luck with Threat Intel feed that require API key access?
That's exactly it.
I haven't tested it with API key yet.
I'm researching it and as soon as I get something I'll post it here.
If you can get something post it here too, please.
Hi Rodrigo
Do you get output form this command?
[Expert@HostName:0]# ioc_feeds show
Regards
Hi @DDiaz
I noticed that feeds added via SmartConsole only appear in SmartConcole, and the same is true for feeds added via cli.
I didn't find this limitation in the documentation.
On sk132193 you can find the list of cli commands.
Regards
Exactly that is my point, i would like to know how to check the feeds are working properly if I use smart console. I had a case with the TAC and told me is a must to run the CLI commands to make it work
First check if the updates are ok.
You can check this by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).
If everything is fine, you will see the Prevents in the logs on those same blades.
In my environment, I only see outgoing traffic being prevented.
My expectation was that all traffic originating from IPs known to be malicious would be blocked.
I can not find this logs in my environment, even if i curls the Urls meaning they are being downloading properly. I would appreciate if CP edit the SK with more details. Is not clear the steps on this. I had all this questions and TAC told us we must to run the cli commands. I can see in your environment works in another way
Regards
I agree with you. SK could definitely be edited with more details.
For what it's worth, you will also need to be on at least R81 to drop incoming traffic.
Rodrigo
Which JHF version are you using?
Thanks
R81.10
@DDiaz , there is a troubleshooting section all the way at the bottom of sk132193. It includes many commands you can use to narrow down the issue.
First have to make sure the feed is pulling correctly, then have to make sure in read/ingest/interpret correctly by Check Point Gateway.
In my experience, the first issue was feed not pulling correctly since I put http instead of https; 2nd issue was the format which I corrected it like @Rodrigo_Silva screenshot show us.
Note that another issue I ran into is: if you are not pulling a remote feed and are importing a csv file locally from smart console, the csv file need to follow exact format as sk132193 describe under the section  "CSV (*.csv) format", which contain 7 fields: UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT
Hi,
I am running R81.10 in the SMS.
URLS used for feed (or https). http://secureupdates.checkpoint.com/IP-list/TOR.txt
Custom feed settings
Value 1 and type IP Address
Enabled Blades: Full Threat Prevention
curl_cli -v http://secureupdates.checkpoint.com/IP-list/TOR.txt for SMS, GW Successfully
I am able to download properly the txt from the PC running Smart Console
I am not able to see the state of the Fetches by filtering the logs through the Anti-Bot and Anti-Virus blades.
blade:(Anti-Bot OR Anti-Virus).
Do i missing something?
Regards
For my experience, the feed I added through smart console are added to all gateway managed by the smart management server (which is what I want).
Since your feed is Tor Exit node, it make sense to observe it in outgoing traffic not incoming traffic.
If you want to see something for incoming traffic, try the Talos feed or AlienVault feed, you will see some external IP probing the firewall and prevented by the IPS/IOC feed.
Thank you very much @Cyber_Serge . Will try that ASAP. Will post my results
TOR exit node IPs are relevant for both ingress and egress blocking, See https://www.cisa.gov/uscert/ncas/alerts/aa20-183a for an analysis.
An operationally viable approach for ingesting IOC feeds into Check Point enforcement points is provided by Infinity NDR. The feeds are managed centrally, and the individual IOCs can be seen and managed in the NDR application. They can then be selectively delivered via NDR "data sets", which are compatible with sk132193.
Note: inbound blocking (as well as IPv6 indicators) are supported starting from R81.
User guide: https://community.checkpoint.com/t5/CloudGuard-NDR/Infinity-NDR-Intel-User-Guide/m-p/131434
Guys
What is the output of this command in your environment?
cat $FWDIR/conf/ioc_feeder.conf
{
"external_ioc": "on",
"interval": "300",
"ioc_bundle": "/database/ca_bundle.pem",
"feeds": {
}
}
[Expert@FW-MGMT-UY:0]#
The interval does not change even if you modify it from:
To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.
Disclaimer that I'm still on R81 but here I can see the difference between something configured locally and something from the GUI...
Cheers
Which command was used [Expert@HostName:0]# ioc_feeds show ?
I just have output using CLI IOC feeds. If smart console method is used nothing show
There is a lot off different things regarding this issue. SK must be updated, is very confusing.
Yes, thats from ioc_feeds show...
I have 7 feeds configured so there was too much to blur out to get it all in one screenshot 😀
Did you use the Smart Console Method?
Which version of SMS and FW do you have.
I am not able to make it work via Smart console, just CLI way
Followed all the recommendations possible and no luck
Regards
Yes, the once that are marked "centrally managed" are done through the GUI.
R81 JHF44.
Team
I will make a brief summary about this issue and the results of the case with the TAC.
Smart Console External IOC Feeds works properly if the GWs are in R81 and above. After long sessions with the TAC, labs, Escalation Team, that was the conclusion. Maybe somebody had luck with different versions, but we could not. We had 4 different environments with SMS in R81.10 and GWS R80.40
It is clear in documentation the SMS must be in R81 and higher (Smart Console Feature), but not the GWs
From SK this part is confuse
Installation
The feature is integrated in version R80.30 and above.
Note: To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.
In some way they must to include the Smart console feature ¨ works properly¨ in GWs with R81 and higher. Was suggested to the TAC to edit the sk132193 and add some captures, Logs queries for verifications as is posted in CHECKMATES threads.
We tested the CLI way and works perfect in the versions they mentioned, but not the Smart console External IOC feeds.
We also realized in all the environment we tested this file could not be found when you troubleshoot
$FWDIR/log/ext_ioc_push.elg
I think with all the tests we made, there is a lot of information from the case we had to edit the SK and help the community.
Cheers
Follows your steps, but I get the error "Checkpoint_TorExitNodes: Feed format problem. Feed format not supported" when i check AV blade logs. Can you please help.
Regards,
MD
hi guys
i'm on R81.10 MDS with Take 45 and some test gateway with 80.40 Take 139 and Take 156.
i've followed the SK and this thread..but it doesn't work as expected.
feed are imported and fetched correctly ( using cli ) (i've tried two differents feeds )
ioc_feeds show
Feed Name: CPtorIP
Feed is Active
File will be fetched via HTTPS
Resource: https://secureupdates.checkpoint.com/IP-list/TOR.txt
Action: Prevent
Feed type: custom_csv
Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
Feed type: custom_csv
Total number of feeds: 2
Active feeds: 2
( and from smartconsole log,blade Antivirus I don't see any error )
but if I try to generate some traffic from the firewall TO some of that ip addresses...it simply pass...without being prevented.
is it normal?
Hi,
If you have bersion R81, you could try the sollution suggested here:
"select "IP Address" in the type field, and enter "1" in the "Value" field of the custom feed settings."
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 23 | |
| 15 | |
| 12 | |
| 9 | |
| 7 | |
| 7 | |
| 7 | |
| 7 | |
| 6 | |
| 4 | 
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY