Do you know if there's any advantage or disadvantage from either using the .txt feeds (Provider has a domain.txt and IP.txt) or the STIX feeds? 

Either choices seem like they can be automated with that ioc_feeds, but just wanted to double check since I have no experience in this.

Thanks!

Not as far as I remember.

Check Point NDR Smart Intel is a Generally Available solution that automates indicator input feed ingestion and distribution to Check Point and 3rd party gateways. It is also the basis for Infinity Vision SOC's IOC Management facility.

Customers who purchase Infinity SOC are automatically entitled to use NDR applications.

Check out https://community.checkpoint.com/t5/CloudGuard-NDR/NDR-Smart-Intel-User-Guide/m-p/131434 for details.

I did not get it setup.    Didn't see a way to automatically have it done....even with the MS-ISAC ones.  😞

We are running R80.40 and I have recently setup ioc_feeds with the MS-ISAC Taxii/Stix feeds. My lack of familiarity with Stix/Taxii/ioc_feeds probably quadrupled the time spent, but the short story is I had to use python/cabby (https://github.com/eclecticiq/cabby) and script a process to pull the feeds and parse out domain/url/ip data into a csv file for ioc_feeds to pull in. What I discovered was that Checkpoint will ingest a single Stix Package in txt format, but will not ingest a feed/file that consists of multiple Stix Packages rolled up into a single document, which is what I ended up with. I probably could have tinkered with the xml tags to see if I could get the CP to ingest, but not knowing what the CP was looking for, decided to stick with what I could easily decipher in the docs (csv). We comment each ioc with the associated feed so we can see it in the logs. This is not elegant, but it is functional. If there's a better way I'd be all ears....

In R81 it also blocks outgoing connections.
Even in pre-R81, while the outgoing connection is not blocked, the reply traffic from those IPs will be blocked. 

When using feeds, are the blocks shown in the logs?  Additionally if we are asked to blacklist an IP, how can we easily confirm this is already taken care of?

Are there any performance overheads?

Yes, because the feeds are added in AV/AB blades so you see them in TP logs. I didn't see any specific overheads by using the feature.

nice,  when I was talking about overhead, I assume the gateway itself pulls the feed therefore connectivity would go via slowpath, interestingly if this was a VSX setup, is the tool aware of VSs?  Similar to log_exporter?

The feed is being pulled with “slow path” Infrastructure but the enforcement itself is running with fastpath.

IOC feeds infra isn’t aware to the VSX gateways and behave for each one as a separated one.

Sorry, I'm just getting into the STIX space. I was emailed one from the FBI, but it was in STIX 2.0 format. I manually imported it into the Threat Tools->Indicators, but got a bunch of warnings. I then did a quick google,  which showed Checkpoint keeps saying that they only support 1.0.  Is Checkpoint ever going to upgrade to the current standard (which is actually 2.1)?

An RFE with the local Check Point office is recommended here.

Horizon NDR Intel now supports STIX/TAXII v2.* for both automated input feeds and Load from file.