This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
oktaycebeci
Participant
‎2023-06-14 12:31 AM
Jump to solution

IOC Feeds does not work properly

Hello everyone.

 

One of our customer asked for adding IOC feed on R81 version (firewall's Anti-bot, Anti-virus and IPS blades are enabled). First, we tried to import the file Indicators. However, we failed because of file size which is approximately 10 MB. Then, we tried to  separate files, which file sizes are lower than 4 MB, and add them via "ioc_feeds add ..." command. The first ioc feed added successfully. Showed us no error but when we tried to add the second one, feed showed us "Signatures load failed" and "Status: General Error" (images are from our test environment).

 

Screenshot_1.png

 

On the smart console, firewall status shows us an error that "Anti-Bot: Failed to prepare reputation DB".

 

Screenshot_2.png

 

Any advise about this problem?

 

Best regards

Labels
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-06-14 11:47 AM
In response to oktaycebeci
Jump to solution

Upgrade to R81.20, which has substantially upgraded infrastructure to support large numbers of indicators.

In R81.10 and earlier, the Pattern Matcher is used, which is also used by other features (IPS, App Control, etc).
The PM itself has a character limit, which you are surely exceeding with more than 215000 entries. 

View solution in original post

4 Replies
Ruan_Kotze
Advisor
‎2023-06-14 06:28 AM
Jump to solution

How many entries in your file?  I'm guessing you're running into the limit for R81, having said that, I have not seen a hard limit published anywhere.

For what it's worth, R81.20 does bring support for "a significantly increased capacity in the number of observables for URLs, Domains, IP addresses, and Hashes - 2 million and up to hardware limit"

Regards,
Ruan

 

oktaycebeci
Participant
‎2023-06-14 06:36 AM
In response to Ruan_Kotze
Jump to solution

Hello Ruan,

In total, all of our three .csv files have 215000 entries for now and the entry number increases everyday (for example 5-10 new malicious links everyday).

Best Regards

Oktay

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-14 11:47 AM
In response to oktaycebeci
Jump to solution

Upgrade to R81.20, which has substantially upgraded infrastructure to support large numbers of indicators.

In R81.10 and earlier, the Pattern Matcher is used, which is also used by other features (IPS, App Control, etc).
The PM itself has a character limit, which you are surely exceeding with more than 215000 entries. 

oktaycebeci
Participant
‎2023-06-14 11:59 PM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy and Ruan_Kotze,

 

Thank you for all informations you have shared.

 

Best Regards

 

Oktay

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events