This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
skidsteerpilot
Participant
‎2021-11-04 06:58 AM

ioc_feeds whitelist

re: R80.40

We are ingesting ioc feeds via ioc_feeds command. We would like to have a process in place for whitelisting individual ip/url/domain in case the need arises. The logs show the feeds are being processed via anti-bot and anti-virus blades. What would be the most efficient method to accomplish this?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-11-04 09:19 PM

IOC Feeds are done by AB/AV blades.
@TP_Master is there a way to explicitly allow something that would be blocked by an ioc_feed? 

0 Kudos
skidsteerpilot
Participant
‎2021-12-03 07:52 AM
In response to PhoneBoy

We are still looking for a solution to whitelisting individual domain/url/ip that are ingested via ioc_feeds. TAC has not been able to provide a solution.

We are currently manually removing domain/url/ip that we need access to (false positives) and repushing ioc_feeds. This has to be done on a separate feed server and then the push on the gateway. This process is not sustainable.

We have tried:
1. using the "Add Exception" link on the Prevent log associated with the lookup
2. create manual "Global" exception using "Domain" as "Destination"
3. create manual "Global" exception using "Custom Application Site" and domain regex as seen in SK165094
4. 3&4 in "Recommended Protections Exceptions"

Maybe this can not be done, but I would think anyone using ioc_feeds would have a viable solution to whitelist individual entries as users discover false positives. 

A caveat we have discovered is after an exception is put in place, there seems to be a short window of opportunity where it appears the exception is working, possible during reload, but then it fails. The 'window' seems to range in time, nothing specific. So, when working with TAC or on our own, there have been several occasions of high-fives, only later to discover the site in question is still blocked.

If anyone is working with ioc_feeds and has a whitelisting process that works, we would be interested to hear how that happens.

huseyinyildirim
Participant
‎2022-04-01 01:28 AM
In response to skidsteerpilot

Any developments with this? I am facing the same issue and have not been able to figure out how to whitelist individual url/ip?

0 Kudos
skidsteerpilot
Participant
‎2022-04-01 06:05 AM
In response to huseyinyildirim

Unfortunately not. I've ended up creating a separate text file of ip/urls to whitelist and then added a function in the script that creates the feed lists to remove any items found in that whitelist file. Thankfully, there have only been a handful that we have had to apply this to. Not elegant, but functional (so far).

0 Kudos
PhoneBoy
Admin
Admin
‎2022-04-01 06:37 AM
In response to skidsteerpilot

There is a feature in R81.20 that might work better here for this use case: Network Feed object.
This should support both IPs and URLs and can be used in the Access Policy, making it significantly more flexible.

0 Kudos
skidsteerpilot
Participant
‎2022-04-01 06:41 AM
In response to PhoneBoy

That sounds good. We're on R80.40. Upgrade planning is in progress so will look forward to this! Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events