Thanks for the suggestion, did think about that but seems to only apply for IP not domains as well.  If we have to end up doing this way, would the -N "<Name of deny list>"  appear in traffic logs to identify the particular drops are from this feed and not other drops?

This is right, currently this is a limitation however what I did is I built a DNS specific solution based on DNS RPZ and then maintains a domain lists there. But for IP addresses I use fwaccel dos deny option

When doing a nslookup/dig/ping/http to IP or domain that is in the feed file there is only normal traffic log and nothing from anti bot blade.  We expected that this would be detected/dropped when doing those tests to the sites in the feed files and would only need AB blade enabled since under Protections section these reputation indicators appear as AB blade.  After dealing with TAC have been advised to use IP or Domain reputation based custom feeds you require both AB and AV blades not just AB which was not our understanding.  The same test methods to sites from threatcloud are picked up just fine though and behaving how we'd expected but told custom IOC feeds require both blades.

The feed files are simply domain / IP listed one per line with no delimiters (each type in separate file) and configured in smartconsole > indicators with type specified appropriately.  I see they have been fetched by the GW under $FWDIR/external_ioc/<feed name>  As a test TAC asked to enable the AV blade and started getting the behavior we wanted so that rules out the feed file format

At this stage we are only wanting to do IP and Domain reputation based drops.  At this stage we are preferring not to enable AV blade as well as not wanting additional load / scan files, only base on reputation if possible.  That's why I'm asking if there's any alternative / easy ways to accomplish this for IP and domains, the fwaccel dos deny may well work via script somehow for IP but not domains.

Please PM me the SR in question, because I'm pretty sure it's not accurate that you need both AV and AB enabled for this.
However, AV/AB only block HTTP(S) and DNS by default, so it wouldn't necessarily block a ping either.
What version/JHF are you using?

A Network Feed is definitely the way to go here if you're on R81.20.

I was very surprised to be told that as well and did suspect ping wouldn't be picked up but thanks for confirming.  I know it used to be for outbound traffic only but is now inbound as well, presume that would be for any port though?

We have been running the debugs on a cluster running R81.10 take 55 but also observe the same issue on one running take 66

Inbound as of R81, yes.
It's possible the HTTPS/DNS Only nature of this also changed.

Using the TOR exit node feed as an example (https://secureupdates.checkpoint.com/IP-list/TOR.txt) and with both AV/Bot enabled, I can see ICMP blocked and other non-HTTP ports blocked (NTP as an example) on outbound attempts

I'm on R81.10 Take 78 right now but swear it was same on Take 66 (100% sure on the NTP hits).