Thank you PhoneBoy for replying.

I followed : sk132193.

Below steps we did for configuration:

To add external feed: ioc_feeds add --feed_name blocklist --transport https --resource https://xxx.com --user_name admin_account

ioc_feeds show : Gives message that feed is active

file : $FWDIR/external_ioc/feed_name_folder/blocklist_https  : Shows the IP address fetched from external feed in format: #UNIQ-NAME,VALUE,TYPE,CONFIDENCE,SEVERITY,PRODUCT,COMMENT

While checking sk103154, it says it is known issue with firewalls behind  proxy.

PS: Firewall is standalone and behind proxy. Fw version is :  R80.30 - Build 484

Hi PhoneBoy,

I was able to run script as per sk103154. However, still IP is not getting blocked.

I am trying to block a Private IP (as it is Lab environment). I am still able to ping, ssh firewall from that pvt. IP. Any insight?

PS: There is no error logs in :

$FWDIR/log/ioc_feeder.elg
$FWDIR/log/ext_ioc_push.elg

Thanks in advance.

Small Update:

I tried Blocking it from Smart Console also, by uploading the .csv file as Indicators and still IP is not getting blocked.

Is there any limitation like Private IP cannot be blocked (though it is coming from External interface)? I have created a rule on firewall to allow SSH, Ping and 443 from the Same IP (which i am looking to block through Anti-Bot blade)

Hi Phoneboy,

thanks for that info, because I had no idea IOC only worked for outbound traffic. Now I just tested it I realise you are right. 

As we have IOC setup with both a IP and domain list, is there a way to use sk103154 with domains aswell? I would prefer not to have two separate systems for IP and domain, I want to block incoming and outgoing traffic to my IP list, and all outgoing traffic to my domain list. (R80.20)

thanks

okay thank you.

The domain blocking function of IOC waas working well for us but now its stopped blocking the domains and IPs with this error in $FWDIR/log/ioc_feeder.elg:

Feed status ip_list :: engine memory allocation error
Feed status domain_list :: engine memory allocation error

Interesting I see the same error on two different clusters that use the same list, I cleared the list out to a single entry in each txt file and still same issue, however if I run "ioc_feeds push" it works successfully and that single entry starts blocking.

Also they should really make that clear on sk132193 thats its only outgoing traffic! 

Ryan, I'm working on IOCs nowadays as well and I am experiencing the engine memory allocation error that you had in the past. Wondering if you discovered a fix for it? 

I am opening a TAC case tomorrow to tackle this. 

Hi, I think this should fix the memory allocation error:

fw ctl set int g_ci_av_sft_classification_buffer_size 16000

Thanks Ryan, I checked and we are already at 16000 as this looks to be the default for R80.30. Opening a TAC now. 

As promised. Support figured out what the problem was.

The feed resides on an internal server with a certificate from our internal CA, which is not trusted by default. They added all the certificates in the certificate path to ca_bundle.pem. After that it started working without errors.

You can see if you have cert errors by running $FWDIR/bin/ioc_feeder -d -f and checking $FWDIR/log/ioc_feeder.elg. We had certificate errors like this [ERROR] curl_easy_perform() failed: Peer certificate cannot be authenticated with given CA certificates.

We also tried adding the certificates via https policy to Trusted CA's but found out, that the policy install does not add them to ca_bundle.pem. R&D is still investigationg that.

I can go into more detail on how to add the certificates if anyone needs.

I would expect that the process of adding the server public keys to the bundle would be automatic. Maybe in future versions 🙂

Same thing happened in my lab:

[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed status blacklist-ssl :: engine memory allocation error
[17736 4126325536]@cpfw[12 Apr 12:09:48] #############################################
[17736 4126325536]@cpfw[12 Apr 12:09:48] Feed log External IOC - External Indicators processing failed
blacklist-ssl: Failed to fetch feed. Resource: https://x.x.x.x/black_list/ip.txt, Reason: Peer certificate cannot be authenticated with given CA certificates

But http works well.

Dear all,

For those are using Custom Intelligence Feeds function with self-signed https server, you should use the following command:

export EXT_IOC_NO_SSL_VALIDATION=1

Then start your https ioc feeds, I just fixed this problem, according to sk132193:

Feed's resource can be:

• URL - HTTP/HTTPS (--transport http --resource "http://10.0.0.1/my_feeds/stix_feed.xml")
  *Self-signed certificate HTTPS resource will propmt for user agreement to update the bundle. It is possible to skip the certificate verification by running "export EXT_IOC_NO_SSL_VALIDATION=1" on the gateway.

Hello Borut, I know it's being a while since this  post, but I'd really appreciate if you could share with me the process for adding the certificates. Thanks!

Its pretty simple if you could do a bit of scripting with fw samp or fwaccel dos command

Hey,

Are you sure it will not block incoming traffic from these IP's?
The SK doesn't mention something on the direction of the traffic.

Regards,

Adiel

I'm afraid so, you may refer to sk103154 about how to block incoming traffic from malicious ip addresses.