Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rsingh-a2n
Participant
Jump to solution

Custom Intelligence Feed Entry/Size Limit

Hi all,

 

Does anyone know what the limit is for Custom Threat Feed entries? Just curious as I have been playing around with IP & MD5 feeds. Is it by file size or number of entries?

 

Thanks

Rahul

2 Solutions

Accepted Solutions
the_rock
Legend
Legend

Hey bud,

Below link will help. Appears its 1024 per observable and 2 million observable limit.

https://community.checkpoint.com/t5/Security-Gateways/What-is-the-maximum-IOC-feed-range/m-p/174070#...

Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin

Not quite accurate 😉
Prior to R81.20, we cannot provide an exact limit since it depends on the IOCs and other blades in use.
However, it is significantly lower than the 2 million IOCs we tested in R81.20, which had new infrastructure created to support a large number of IoCs. (Actual limit depends on available memory)

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend

Hey bud,

Below link will help. Appears its 1024 per observable and 2 million observable limit.

https://community.checkpoint.com/t5/Security-Gateways/What-is-the-maximum-IOC-feed-range/m-p/174070#...

Andy

0 Kudos
rsingh-a2n
Participant

Perfect thanks Andy!!

0 Kudos
the_rock
Legend
Legend

It goes without saying...FYFOC ; - )

0 Kudos
PhoneBoy
Admin
Admin

Not quite accurate 😉
Prior to R81.20, we cannot provide an exact limit since it depends on the IOCs and other blades in use.
However, it is significantly lower than the 2 million IOCs we tested in R81.20, which had new infrastructure created to support a large number of IoCs. (Actual limit depends on available memory)

0 Kudos
the_rock
Legend
Legend

Fair enough :). I just quoted numbers from that post.

Andy

0 Kudos
rsingh-a2n
Participant

Thanks Phoneboy,

If this is memory dependent I assume you'd have to be at a high memory usage to start running into issues, just out of curiousity do we know if any sort of log is generated for failed feed updates? 

 

Edit: Looks like the notes for Custom Threat Intelligence show:

  • From 81.20 - To prevent system overload feed won't be loaded if it exceeds 80% of total free disk space or 50% of free RAM.

 

Thanks,

Rahul

0 Kudos
the_rock
Legend
Legend

Appears as per below:

https://support.checkpoint.com/results/sk/sk132193

 

Known Limitations

  • Observables of IP addresses and IP Ranges can hold IPv4 values only. In R81 and higher versions IPV6 is supported as well.

  • MD5, SHA1, SHA256 observables cannot be enforced by Anti-Bot Blade. If user does not enable Anti-Virus blade, there will be no enforcement.

  • For R80.20SP, a Jumbo Hotfix Accumulator installation is required.

  • Inbound traffic to a host behind the gateway does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked.

    In R81 and higher versions, this traffic is blocked.

  • Not supported on version R81 SP
  • Large feeds can take a lot of time to load on ext3 filesystem.
  • From 81.20 - To prevent system overload feed won't be loaded if it exceeds 80% of total free disk space or 50% of free RAM.
  • Before 81.20, there is limit of number of observables.
  • ioc_feeds export is working only on R80.30/R80.40
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events