Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor
Jump to solution

IOC feed using CSV or txt

Dear All,

We have Check Point R81.10 security gateways, and we want to automate the blocking of malicious IPs and URLs gathered by the SOC team. We want the SOC team to add the malicious IPs and URLs to a separate server in a text file, and then we will link these files to our gateways using the IOC. Is there any documentation available that can help me achieve this?

Thanks

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
0 Kudos
the_rock
Legend
Legend

K, sounds good. I sort of figured that was the case, just wanted to clarify.

Thank you as always 🙂

Andy

View solution in original post

0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee

This is covered in the Threat Prevention Admin Guide for the version. e.g.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/...

Is there a particular issue that you're facing here or a unique requirement?

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

If you have a significant number of IoCs, I highly recommend upgrading to R81.20.
You also have Network Feed objects in R81.20, which allow for more flexible reporting and Network Feed objects can be directly used in the Access Policy.

0 Kudos
CaseyB
Advisor

This is also a good reference SK: sk132193 

0 Kudos
Ihenock1011
Advisor

What I didn't get from the SK is

  1. How do I make the gateways refer to the CSV file?

  2. Where should I put the CSV file, either on a file server or any server?

Lastly, can you share with me a sample CSV file that contains both optional and mandatory fields?

0 Kudos
the_rock
Legend
Legend

I can send you one tomorrow, as well as example of some fqdn's you can use, and best thing about is that they are dynamically updated. And yes, I agree with Phoneboy, R81.20 is the way to go if you plan to use this feature.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
0 Kudos
Ihenock1011
Advisor

@the_rock Thanks a lot!

0 Kudos
the_rock
Legend
Legend

Hope that was useful info? If not, let me know, we can do remote and I can show you more in my lab.

Best,

Andy

0 Kudos
Ihenock1011
Advisor

@the_rockThat was helpful! If we could do a remote session, it would be much better for me. I could then clear up a lot of things.

0 Kudos
the_rock
Legend
Legend

Sure, what time zone you in?

Andy

0 Kudos
Ihenock1011
Advisor

GMT+3 EAT  8:00AM-12:00PM or  2:00PMto 5:00PM will be best. 

0 Kudos
the_rock
Legend
Legend

So its 2.35 pm now for you?

0 Kudos
Ihenock1011
Advisor

Yes

0 Kudos
the_rock
Legend
Legend

K, messaged you offline

0 Kudos
the_rock
Legend
Legend
0 Kudos
the_rock
Legend
Legend

Hey boys,

@PhoneBoy @_Val_ 

 

Just a quick question...any idea if Check Point has recommended link of bad IP addresses that get updated automatically or is this more up to customer to find and use at their discretion? 

Best,

Andy

I see links in the sk below, but not sure if there is anything else or not...

https://support.checkpoint.com/results/sk/sk132193

 

 
0 Kudos
_Val_
Admin
Admin

Okay, you you looked into sk132193. There are many free and commercial IoCs from different sources, but I am not aware of anything Check Point would consider recommended per se.

The lists are quite different and vary per industry.

(1)
the_rock
Legend
Legend

K, sounds good. I sort of figured that was the case, just wanted to clarify.

Thank you as always 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events