Hello,
I'm opening this topic to better understand the Threat Prevention Indicators and their implementation on R81.20 (6600 appliance).

Basically, I'd like to implement IoC feeds from following two:

Spamhaus (https://www.spamhaus.org/drop/drop.txt)

The list contains IP address ranges:

; Spamhaus DROP List 2025/11/06 - (c) 2025 The Spamhaus Project SLU
; https://www.spamhaus.org/drop/drop.txt
; Last-Modified: Thu, 06 Nov 2025 20:14:41 GMT
; Expires: Thu, 06 Nov 2025 21:17:12 GMT
1.10.16.0/20 ; SBL256894
1.19.0.0/16 ; SBL434604
1.32.128.0/18 ; SBL286275
2.56.192.0/22 ; SBL459831
2.57.122.0/24 ; SBL636050
2.57.232.0/23 ; SBL538946
2.57.234.0/23 ; SBL538947
...

[A] - Based on its format, I would configure the IoC with the following settings:

• Format: Custom CSV
• Data Type: IP Range
• Data Column: 1
• Delimiter: Space
• Ignore lines with prefix: ;

[B] - Check Point detects 1,487 indicators (or more precisely, rows). While reviewing the indicators provided by Spamhaus, I noticed that about 111 rows contain /16 IP ranges. That means that just these 111 rows represent a total of 7,274,496 IP addresses - quite a huge number!

DShield (https://www.dshield.org/block.txt).

This list is shorter than the one provided by Spamhaus, but it contains IP ranges expressed in a different format:

#    Columns (tab delimited):
#
#    (1) start of netblock  
#    (2) end of netblock
#    (3) subnet (/24 for class C)
#    (4) number of targets scanned
#    (5) name of Network 
#    (6) Country
#    (7) contact email address
#
#    If a range is assigned to multiple users, the first one is listed. 
#     
206.168.34.0	206.168.34.255	24	305	-	-	-
78.128.114.0	78.128.114.255	24	298	TAMATIYA-AS	BG	noc@4vendeta.com
146.88.241.0	146.88.241.255	24	298	ARBOR	US	hostmaster@arbor.net
65.49.1.0	65.49.1.255	24	295	HURRICANE	US	abuse@he.net
...

[C] - Based on its format, I would configure the IoC with the following settings:

• Format: Custom CSV
• Data Type: IP Range
• Data Column: 2
• Delimiter: Space
• Ignore lines with prefix: Hash (#)

Check Point detects 20 indicators (or more precisely, rows)

Questions:

1. From the $FWDIR/log/ioc_feeder.elg log, I noticed that Check Point seems to "translate" IP address ranges into single IP addresses and then adds them into the database:

2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.121
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.120
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.119
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.118
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.117
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.116
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.115
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.114
[2022 4107868032]@MYFIREWALL[6 Nov 11:45:28] IOCIPAndRangeFastHandler[235] ::saveIPToFile: [INFO]  insert add ip  209.95.89.113
...

Is that correct ?

2. Could you please confirm if my IoC parameters are correct for Spamhaus IoCs - ref. [A] ?

3. Is Check Point able to handle such a large number of IP addresses - ref. [B] ?
I'm asking because, while implementing these IoC feeds, I noticed high CPU usage by the ioc_feeds process, which results in low performance and network issues affecting all end-users clients.

4. Could you please confirm if my IoC parameters are correct for DShield IoCs - ref. [C] ?

Any thought would be much appreciated.

Thank you.