Re: External IOC lists not blocking

paolozzipointer · ‎2021-09-15

Hello All

We are running R81 on SmartConsole and R80.40 on the CP 5800 Gateways, we need to ensure IP's with bad reputation are blocked etc.

I have loaded several IOC's into SmartConsole and even on one of the gateways and they are loading and updating.

BUT when I ping or try and ssh to one of the IP's in the list, Checkpoint is not blocking it at all. I've pushed the policy to the gateways. Is there something you have to do?

Checked the log files for errors and there are none; as below

[26638 4114805 Sep 11:13:55] Feed status domains :: IOC_SUCCESS
[26638 4114805 Sep 11:13:55] #############################################
[27821 411456Sep 11:19:15] #############################################
[27821 41145Sep 11:19:15] Feed status reputation :: IOC_SUCCESS
[27821 4114515 Sep 11:19:15] #############################################
[27821 4114515 Sep 11:19:15] #############################################

Peter_Lyndley · ‎2021-09-15

I believe you need R81 gateway code to stop inbound connections.

paolozzipointer · ‎2021-09-15

its Outbound I want to stop

Ruan_Kotze · ‎2021-09-15

If you do a log search for "ioc" does the event description say "External IOC - Fetch succeeded"?

If it fails you'll see something like this:

Screenshot 2021-09-15 220057.png

I've had many instances where the feed downloads correctly, but then the gateway can't parse it - the above query should tell you if that is indeed the issue here.

PhoneBoy · ‎2021-09-19

Let's ask the obvious question: is the Anti-Virus and/or Anti-Bot blade enabled on the gateway?

Also, just a note: prior to R81 (gateways), IOC feeds are only enforced for the destination IP.
That means for connections that originate from the outside from one of these IPs, it will only be enforced on the reply packet (where the destination is the indicator IP).

Are you a member of CheckMates?

External IOC lists not blocking