Create a Post
Showing results for 
Search instead for 
Did you mean: 

IOC FEED import does not work

Hello ,


i am using the checkpoint IOC feed import feature for some known IOC feeds .

one of the know IOC feed is at location


this is from firehol


when i try to add in gateway using below command it gives me error 


ioc_feeds add --feed_name Firehol --transport https --resource "" --format [value:1,type:ip] --comment ["#"] 


$FWDIR/bin/ioc_feeder -d -f

gives below


Feed status Firehol :: IOC_FAILED_WHILE_PARSING


cat $FWDIR/log/ioc_feeder.elg | grep Firehol

gives below info


packFeeds: [WARN] Feed Firehol cannot be pushed.
Firehol: Feed format problem. Feed format not supported" severity 0
 Feed status Firehol :: IOC_FAILED_WHILE_PARSING
Firehol: Feed format problem. Feed format not supported



The gateway is R81.10 take 55

there is case open with checkpoint support but as of now they can not tell me reason why it is not workin .

0 Kudos
6 Replies

That file is not in the correct format and thus won’t work with ioc_feeder.
The formats supported are described here:

That file might be suitable for the Network Feed feature available in R81.20 (currently in public EA):


Normally, I would never argue with PhoneBoy, but I think he is wrong here.

Your feed seems supported and working (even on R80.40 where this IOC feed feature is missing some features). When you look at the sk132193  PhoneBoy links to, it is even shown as example "Original CSV structure is a list of IP addresses in CIDR format"

I think your problem is not the feed format itself.

Please post your $FWDIR/conf/ioc_feeder.conf.

I guess it is missing the comment statement you provided within your ioc_feeds add command. This is known bug at least in R80.40, R&D is currently working on (yes, I have a TAC case running for this). Maybe you see this also on R81.10.


I got this feed working with the same ioc_feeds add command, you used. The only thing I did: I added the missing comment line to $FWDIR/conf/ioc_feeder.conf:

    "external_ioc": "on",
    "interval": "300",
    "ioc_bundle": "/database/ca_bundle.pem",
    "feeds": {
        "Firehol": {
            "feed_action": "prevent",
            "resource": "",
            "format": "[value:1,type:ip]",
            "comment": "#",
            "input_name": "Firehol_https",
            "active": "true",
            "feed_format": "custom_csv",
            "transport": "https"

After that, I refetched the feeds with:

[Expert@gateway:0]# $FWDIR/bin/ioc_feeder -d -f
Convert your csv format to Check Point's supported csv format. Supported fields: [name,value,type,confidence,severity,product,comment]
All content coming after  ['#']  will be ignored

[Name, Value, Type]
observ1,,ip range,,,,
observ2,,ip range,,,,
observ3,,ip range,,,,
observ4,,ip range,,,,
observ5,,ip range,,,,
observ6,,ip range,,,,
observ7,,ip range,,,,
observ8,,ip range,,,,
observ9,,ip range,,,,
observ10,,ip range,,,,
observ11,,ip range,,,,

Successfully converted
IPS package: Compiled OK.
Signatures loaded successfully

Working fine.


Always happy to be wrong if the right answer comes out as a result 😁

0 Kudos

I tried it the easy way - using Infinity NDR Intel.

There are 2,538 IoCs here - all of them get imported cleanly if you define an input feed on this URL.

You can see the output feed from my test domain - published at: Should be compatible with R80.30 and above.

Here's all I did - defined the feed as single-type list (IP) without header, and the IOCs started to populate automatically:





Thanks a Lot Nir, i will try and see if this works

0 Kudos

Thanks a Tobias, i will try and see if this works.


0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events