I just found this link witch have a lot of good IoC Feed Url 

Bert-JanP/Open-Source-Threat-Intel-Feeds: This repository contains Open Source freely usable Threat ...

I find it very odd that now when I test all this in R82 lab, bunch of links give cert warning, I accept and recheck, keeps looping constantly, never works, but worked in R81.20

Now Im super curious to find generic one, if it exists. I will keep "digging" ; -)

Link you gave, I actually did have it, but bunch of those also fail in R82

I tried these one and worked for now 

• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/2.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/6.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/7.txt
• https://raw.githubusercontent.com/stamparm/ipsum/master/levels/8.txt
• https://lists.blocklist.de/lists/all.txt

One question when we create IoC Feed under "Indicators" in Threat Prevention Policy should i add also a Network Rule with a Netword Feed Object that block 2 ways communication or only the IoC Feed is enough ? 

Thanks !

They work as network feeds, NOT ioc feeds. Thats why I said Im trying to find if there is one generic link that can be used for ioc feed.

I will definitely keep checking on this until I find link that would contain large database of stuff that can be blocked.

https://www.talosintelligence.com is not a URL that contains indicators.
You need to specify a full URL for the file that contains the indicators.

I could have sworn bunch of those links worked for me in R81.20, but none work on R82 :(. I tried json, php extensions, also csv file, but for some of them, though it gives certificate warning, I accept, but simply loops back constantly, never accepts anything.

Thoughts @PhoneBoy ?

Yes that is what i understand but would it not be a great idea to have url listed here for everybody so everyone can enjoy this 

I even tried from cli with ioc_feeds add command, no dice. I wont give up, but getting little frustrated lol

@Jean-Francois_G 

Also tried all 4 below, but no luck:

Known Feed Examples (using the Custom CSV format)

Its super odd, I added all 4 from expert mode based on example below, but still does not show in smart console.

[Expert@CP-GW:0]# ioc_feeds show
Feed Name: reputation
Feed is Active
File will be fetched via HTTP
Resource: http://reputation.alienvault.com/reputation.data
Action: Prevent
Feed is cli managed

Feed Name: domains
Feed is Active
File will be fetched via HTTPS
Resource: https://www.botvrij.eu/data/ioclist.hostname.raw
Action: Prevent
Feed is cli managed

Feed Name: spam_list
Feed is Active
File will be fetched via HTTPS
Resource: https://www.ipspamlist.com/public_feeds.csv
Action: Prevent
Feed is cli managed

Feed Name: hash_list
Feed is Active
File will be fetched via HTTP
Resource: http://cybercrime-tracker.net/ccamlist.php
Action: Prevent
Feed is cli managed

Total number of feeds: 4
Active feeds: 4
[Expert@CP-GW:0]#

Hey guys when you add IOC Feeds can you see drop log in smart console.  On my side i can't see any log drop.  The only way to check if there is drop for an IP is to run a fw ctl zdebug + drop on the gateway.  Ive open a ticket with Checkpoint but was wondering what you experience on your side 

Let me check in my lab, but Im sure you should see them.

I just confirmed and yes, you would see them. You can search in the logs by blade and then just select av or anti-bot, as one of those is needed for IOCs.

Well on my side i don't see anything

This is some logs before im adding my cell phone network range to a IOC File 

If i enable IOC i can see drop in CLI

[Expert@infFire-s01-01:0]# fw ctl zdebug + drop | grep 142.169.77.xx
@;559129671.427042;[kern];[tid_1];[SIM4];DROP: dos_deny_list_check_ip: TP IOC deny list is blocking 142.169.77.xx;
@;559129675.427043;[kern];[tid_1];[SIM4];pkt_handle_stateless_checks: dropping due to dos_pkt_should_drop(), conn: <142.169.77.xx,38064,66.187.xx.xx,0,1>;
@;559129675.427044;[kern];[tid_1];[SIM4];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<142.169.77.xx,38064,66.187.xx.xx,0,1>;

But nothing in Smartconsole 

What if you search logs by blade?

I don't see anything either.  Ive tried blade:Anti-Bot  and blade:Anti-Virus

Anything here?

If it's an IOC feed, I believe they should show under blade:IPS and the feed will be listed as the Protection Name.

That sounds right.

I just tried that as well and no logs

I would definitely check with TAC.

Yes im waiting for their feedback thanks for your help everyone

Let us know how it goes.

For your information the problem was with the Threat Prevention custom Policy.  Since im using MTA i had one rule create automaticly but it was only for SMTP traffic.  I had to create a new rule below the SMTP rule to log everything else.  Thanks for your help 

Great! Mind sharing screenshot for the reference?

Ive update my last post 

K, sounds good, thank you!