I haven't noticed any performance impact on with our production cluster.

This one doesnt work with IOC_Feed object. I can see that the list is fetched but not applied and generates a error in HCP saying it cant be reach but thats not true since the list is fetched and stored in ioc path on the gws.

Yes, it does not work with IOC Feed, I had to create a network feed object and create just as @delToro1  listed.   My question now is becoming should I be using this approach (network feed in policy) versus IOC Feed in the Threat Prevention policy.  Has anyone tested either approach to see what the pros and cons are?  

IOC feed is only for incoming traffic.
If you use network feed you can add to both incoming and outgoing. In my opinion more usefull.

I have had network object feed running for a while and its generating a lot hits. Qwerks about the lists is that you need to monitor them in order to verify if they are active or not. Atleast the lists i have configured.

HCP will tell if there is an issue with both network and IOC feed.

That makes sense, any tips on how you are monitoring is greatly appreciated!

The only thing for now is to check HCP in smartconsole for the relevant GWs.
I saw that with r81.20 JHF 89 added alerts for Identity Sharing. Maybe this will be a future feature for services like this.

BTW you can run individual HCP tests directly on the machine

hcp -l to list all available test

hcp -r <test name>

So for IoC it would be:

hcp -r "IoC Feeds Database"

New HCP takes are available here:

https://support.checkpoint.com/results/sk/sk171436 

Thats cool. Thanks.

Do we need to manually install new HCP takes ? 

Yes, it is updated automatically (like other updateable packages).

Obviously if the machine does not have connectivity to the Internet you will have to install it manually.

Does hcp -r "IoC Feeds Database" also check the Network Feeds?   

This is my output, it doesn't seem to indicate anything for Network Feeds....

hcp -r "IoC Feeds Database"
Test name Status
============================================================
IoC Feeds Database................................[PASSED]

To view full report on this machine, run "hcp --show-last"

Test name Status Runtime (sec)
==========================================================================
IoC Feeds Database................................[PASSED] 0.00024

+------------------------------------------------------------------------------------------------------------------------------------+
| Results |
+====================================================================================================================================+
| Anti-Virus/Threat Prevention/IoC Feeds Database |
+------------------------------------------------------------------------------------------------------------------------------------+
| Result: SUCCESS |
| |
| Description: This test checks if the Security Gateway parsed all configured IoC feeds |
| |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------

Interesting...mine shows below, though I tried both formats, but when I test feeds, all is gree.

Andy

|
| Feed: Cisa |
| Error: Failed to parse the feed: Cisa |
| Make sure the feed format is correct. See sk132193. |
| Feed update status - error. |
| Feed: Talos-feed |
| Error: The feed resource https://www.talosintelligence.com/ is not available. Make sure the Security Gateway can connect to it. |
| |
| |
+------------------------------------------------------------------------------------------------------------------------------------+

[Expert@CP-GW:0]#

Yes, I get errors if there are issues with IOC Feeds....however I don't see anything for network feeds (good or bad!)

See, for 2 IOCs I configured, no errors when I test them, its green, just error when running the command.

Andy

Yep, I noticed the same thing, which is why I am pivoting away from IOC and going the network feed route. 

#1 its easy to track when an IP is blocked from a feed (can easily create alert rules for this)

#2 you can use a network feed with an egress rule and alert on it (home grown anti bot?)

Just seems to be much more visibility into what is going on with Network Feeds  vs IOC feeds, and then the countless errors I found when adding IOC feeds (yet they were green when I added them!)

Im with you there, agree 100%.

I agree 100%.

Andy

I believe someone confirmed it in a different post as well, thats true.

Andy

Though, you can use network feeds with VSX, since thats strictly in rulebase.

Andy

Check out post I made below about it, see if it helps.

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

Hello i just discovered IOC and i was wondering how to create this is SmartConsole

Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

What should i put in the Feed Url ? 

https://www.talosintelligence.com/ dont seem to work 

I was able to configure Checkpoint Tor like that 

https://secureupdates.checkpoint.com/IP-list/TOR.txt with format "custom csv" + Data type : Ip Address

Thanks for your help 

You dont do it from there, its network feed, which is different. You can refer to this link.

https://community.checkpoint.com/t5/General-Topics/What-is-the-difference-between-Custom-Intelligenc...

Cant point exactly on the screenshot, but its under indicators and then you click on new on top. Sorry, not expert on taking screenshots on MAC lol

Btw, you need AV or AB blade enabled to use the indicators.

Im not sure i understand.  I'm creating a new IOC Feeds under indicators in Threat Prevention policy.  Im not at the right place ?

I have to create a new Network Feed or a new IOC Feed

Could you show me a screenshot of one you got configured in this post

Thanks !

I will send tomorrow, dont have my lab on at the moment. Yes, you are in the right place, thats where you create IOCs, just click on test feed once you put in the fqdn.

Just remember this, its important...for network feeds, you do NOT need any extra license or av / ab blades enabled and those can be used in the access policy.

Ok but what is the fqdn i need to put for every ressource posted here  

Ex:

Feed Name: talos_1
Feed is Active
File will be fetched via HTTPS
Resource: https://www.talosintelligence.com/
Action: Prevent
User Name:
Feed is centrally managed

Ive put https://www.talosintelligence.com/ but it's not working.... 

I was able  to use the Checkpoint TOR list with https://secureupdates.checkpoint.com/IP-list/TOR.txt

So im wondering what to put for every ressource

Thanks

I will check it in the morning and update you. Maybe not every link works now, but I recall testing them when I posted this on community.

Thanks for helping i appreciate it

Of course, we are here to help each other! Hey, in the meantime, check out below link, there are some good links there.

https://github.com/hslatman/awesome-threat-intelligence?tab=readme-ov-file

Thanks for the link but how do you find the IoC Feed url exaclty that is what im trying to understand / find for every link we see here and on Github

Thanks