This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rsingh-a2n
Participant
‎2023-07-11 03:05 PM
Jump to solution

Custom Intelligence Feed Entry/Size Limit

Hi all,

 

Does anyone know what the limit is for Custom Threat Feed entries? Just curious as I have been playing around with IP & MD5 feeds. Is it by file size or number of entries?

 

Thanks

Rahul

2 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2023-07-11 04:30 PM
Jump to solution

Hey bud,

Below link will help. Appears its 1024 per observable and 2 million observable limit.

https://community.checkpoint.com/t5/Security-Gateways/What-is-the-maximum-IOC-feed-range/m-p/174070#...

Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-11 11:21 PM
In response to the_rock
Jump to solution

Not quite accurate 😉
Prior to R81.20, we cannot provide an exact limit since it depends on the IOCs and other blades in use.
However, it is significantly lower than the 2 million IOCs we tested in R81.20, which had new infrastructure created to support a large number of IoCs. (Actual limit depends on available memory)

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-07-11 04:30 PM
Jump to solution

Hey bud,

Below link will help. Appears its 1024 per observable and 2 million observable limit.

https://community.checkpoint.com/t5/Security-Gateways/What-is-the-maximum-IOC-feed-range/m-p/174070#...

Andy

0 Kudos
rsingh-a2n
Participant
‎2023-07-11 04:34 PM
In response to the_rock
Jump to solution

Perfect thanks Andy!!

0 Kudos
the_rock
Legend
Legend
‎2023-07-11 04:39 PM
In response to rsingh-a2n
Jump to solution

It goes without saying...FYFOC ; - )

0 Kudos
PhoneBoy
Admin
Admin
‎2023-07-11 11:21 PM
In response to the_rock
Jump to solution

Not quite accurate 😉
Prior to R81.20, we cannot provide an exact limit since it depends on the IOCs and other blades in use.
However, it is significantly lower than the 2 million IOCs we tested in R81.20, which had new infrastructure created to support a large number of IoCs. (Actual limit depends on available memory)

0 Kudos
the_rock
Legend
Legend
‎2023-07-12 03:26 AM
In response to PhoneBoy
Jump to solution

Fair enough :). I just quoted numbers from that post.

Andy

0 Kudos
rsingh-a2n
Participant
‎2023-07-12 05:22 AM
In response to PhoneBoy
Jump to solution

Thanks Phoneboy,

If this is memory dependent I assume you'd have to be at a high memory usage to start running into issues, just out of curiousity do we know if any sort of log is generated for failed feed updates? 

 

Edit: Looks like the notes for Custom Threat Intelligence show:

  • From 81.20 - To prevent system overload feed won't be loaded if it exceeds 80% of total free disk space or 50% of free RAM.

 

Thanks,

Rahul

0 Kudos
the_rock
Legend
Legend
‎2023-07-12 05:31 AM
In response to PhoneBoy
Jump to solution

Appears as per below:

https://support.checkpoint.com/results/sk/sk132193

 

Known Limitations

  • Observables of IP addresses and IP Ranges can hold IPv4 values only. In R81 and higher versions IPV6 is supported as well.

  • MD5, SHA1, SHA256 observables cannot be enforced by Anti-Bot Blade. If user does not enable Anti-Virus blade, there will be no enforcement.

  • For R80.20SP, a Jumbo Hotfix Accumulator installation is required.

  • Inbound traffic to a host behind the gateway does not get blocked, e.g: IP that is on the feed, sends ICMP Request to a host behind the gateway. This traffic does not get blocked.

    In R81 and higher versions, this traffic is blocked.

  • Not supported on version R81 SP
  • Large feeds can take a lot of time to load on ext3 filesystem.
  • From 81.20 - To prevent system overload feed won't be loaded if it exceeds 80% of total free disk space or 50% of free RAM.
  • Before 81.20, there is limit of number of observables.
  • ioc_feeds export is working only on R80.30/R80.40
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events