Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
paolozzipointer
Explorer

External IOC lists not blocking

Hello All

We are running R81 on SmartConsole and R80.40 on the CP 5800 Gateways, we need to ensure IP's with bad reputation are blocked etc.

I have loaded several IOC's into SmartConsole and even on one of the gateways and they are loading and updating.

 

BUT when I ping or try and ssh to one of the IP's in the list, Checkpoint is not blocking it at all.  I've pushed the policy to the gateways.  Is there something you have to do?

 

 

Checked the log files for errors and there are none; as below

 

[26638 4114805 Sep 11:13:55] Feed status domains :: IOC_SUCCESS
[26638 4114805 Sep 11:13:55] #############################################
[27821 411456Sep 11:19:15] #############################################
[27821 41145Sep 11:19:15] Feed status reputation :: IOC_SUCCESS
[27821 4114515 Sep 11:19:15] #############################################
[27821 4114515 Sep 11:19:15] #############################################

0 Kudos
4 Replies
Peter_Lyndley
Collaborator

I believe you need R81 gateway code to stop inbound connections.

0 Kudos
paolozzipointer
Explorer

its Outbound I want to stop

0 Kudos
Ruan_Kotze
Advisor

If you do a log search for "ioc" does the event description say "External IOC - Fetch succeeded"?

If it fails you'll see something like this:

Screenshot 2021-09-15 220057.png

I've had many instances where the feed downloads correctly, but then the gateway can't parse it - the above query should tell you if that is indeed the issue here.

0 Kudos
PhoneBoy
Admin
Admin

Let's ask the obvious question: is the Anti-Virus and/or Anti-Bot blade enabled on the gateway?

Also, just a note: prior to R81 (gateways), IOC feeds are only enforced for the destination IP.
That means for connections that originate from the outside from one of these IPs, it will only be enforced on the reply packet (where the destination is the indicator IP). 

0 Kudos