Re: IOC feed detect not effective

fdhfdshs5454 · ‎2022-08-24

Hello,

I'm deploying a remote IOC feed.

The feed is successfuly retrieved and parsed by the firewall:

# ioc_feeds show
Feed Name: shk-ioc-ctl
Feed is Active
File will be fetched via HTTPS
Resource: https://###REDACTED_FQDN###/ioc.csv
Action: Prevent
Proxy:
User Name:
Feed is centrally managed
# cat /opt/CPsuite-R81.10/fw1/external_ioc/shk-ioc-ctl/shk-ioc-ctl_https_custom.csv | grep ###REDACTED_IP###
observ9,###REDACTED_IP###,ip,,,,

However, while testing trafic from and to this specific ###REDACTED_IP###, I get no prevent logs.

I would like to know how can I troubleshoot/debug the filtering part of this feature?

Thanks,

Edit: Fixed "Action: Detect -> Prevent" in log message

Chris_Atkinson · ‎2022-08-24

The Action of the feed status shows "detect" not prevent?

CCSM R77/R80/ELITE

fdhfdshs5454 · ‎2022-08-25

Sorry, it's a copy-paste from a previous test where the feed was first configured in "detect".

Issue is seen in "prevent" state too as nothing is logged and attacker trafic is allowed.

PhoneBoy · ‎2022-08-24

If the gateway is pre-R81 only outbound traffic to those IPs are blocked.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

You might try debugging Anti-Bot otherwise: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

fdhfdshs5454 · ‎2022-08-25

Gateways are all R81.10 HFA66.

Will look into debugging AntiBot.

Thanks.

Are you a member of CheckMates?

IOC feed detect not effective