Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fdhfdshs5454
Contributor
Contributor

IOC feed detect not effective

Hello,

I'm deploying a remote IOC feed.

The feed is successfuly retrieved and parsed by the firewall:

# ioc_feeds show
Feed Name: shk-ioc-ctl
Feed is Active
File will be fetched via HTTPS
Resource: https://###REDACTED_FQDN###/ioc.csv
Action: Prevent
Proxy:
User Name:
Feed is centrally managed
# cat /opt/CPsuite-R81.10/fw1/external_ioc/shk-ioc-ctl/shk-ioc-ctl_https_custom.csv | grep ###REDACTED_IP###
observ9,###REDACTED_IP###,ip,,,,

However, while testing trafic from and to this specific ###REDACTED_IP###, I get no prevent logs.

I would like to know how can I troubleshoot/debug the filtering part of this feature?

Thanks,

 

Edit: Fixed "Action: Detect -> Prevent" in log message

4 Replies
Chris_Atkinson
Employee Employee
Employee

The Action of the feed status shows "detect" not prevent?

CCSM R77/R80/ELITE
fdhfdshs5454
Contributor
Contributor

Sorry, it's a copy-paste from a previous test where the feed was first configured in "detect".

Issue is seen in "prevent" state too as nothing is logged and attacker trafic is allowed.

fdhfdshs5454
Contributor
Contributor

Gateways are all R81.10 HFA66.

Will look into debugging AntiBot.

Thanks.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events