- CheckMates
- :
- Products
- :
- Quantum
- :
- Threat Prevention
- :
- Re: IOC feed detect not effective
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IOC feed detect not effective
Hello,
I'm deploying a remote IOC feed.
The feed is successfuly retrieved and parsed by the firewall:
# ioc_feeds show
Feed Name: shk-ioc-ctl
Feed is Active
File will be fetched via HTTPS
Resource: https://###REDACTED_FQDN###/ioc.csv
Action: Prevent
Proxy:
User Name:
Feed is centrally managed
# cat /opt/CPsuite-R81.10/fw1/external_ioc/shk-ioc-ctl/shk-ioc-ctl_https_custom.csv | grep ###REDACTED_IP###
observ9,###REDACTED_IP###,ip,,,,
However, while testing trafic from and to this specific ###REDACTED_IP###, I get no prevent logs.
I would like to know how can I troubleshoot/debug the filtering part of this feature?
Thanks,
Edit: Fixed "Action: Detect -> Prevent" in log message
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Action of the feed status shows "detect" not prevent?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, it's a copy-paste from a previous test where the feed was first configured in "detect".
Issue is seen in "prevent" state too as nothing is logged and attacker trafic is allowed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the gateway is pre-R81 only outbound traffic to those IPs are blocked.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You might try debugging Anti-Bot otherwise: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gateways are all R81.10 HFA66.
Will look into debugging AntiBot.
Thanks.
