This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Emil_T
Collaborator
‎2025-07-13 10:06 AM
Jump to solution

Network feed - exceptions / white list

Hi

Is there a white list mechanism available within the Network feed feature to avoid accidental blocking of internal network IPs? The Custom Intelligence (IoC) Feeds automatically excludes private IP ranges, but I haven't found a similar safeguard for the Network feed.

Thx

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2025-07-13 02:07 PM
Jump to solution

Just confirmed in the lab, does not appear exceptions are possible.

Andy

Best,
Andy

View solution in original post

Preview file
74 KB
(1)
4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-07-13 01:43 PM
Jump to solution

Never seen one, but will check in the lab tomorrow.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-13 02:07 PM
Jump to solution

Just confirmed in the lab, does not appear exceptions are possible.

Andy

Best,
Andy
Preview file
74 KB
(1)
Ted_Serreyn
Collaborator
‎2025-07-14 02:47 PM
Jump to solution

While whitelist is NOT directly available as part of the network feed itself, you can correctly implement this with layers to accomplish what you want.

 

Create a new layer that is executed before your normal policy.   The default for this layer should be to allow all traffic and don’t log it.

Create a whitelist rule to explicity allow the traffic in desired directions, log or don’t to show it was allowed.

Create a network feed rules after this rule to block traffic in desired directions, log or don’t to show it was blocked.

This layer is executed first and “falls thru” to the network policy for additional inforcement.

 

This layered method does process the accepted packets twice, but presumably you are attempting to block lots of bad actors/ip addresses and really don’t need to process them thru the whole security policy.

Personally we turn off logging on these after testing them to make sure that they are not blocking unexpected networks like VPN or private internal addresses.  If they do, we can put them into the whitelist.

 

Ted Serreyn

the_rock
MVP Platinum
MVP Platinum
‎2025-07-14 02:50 PM
In response to Ted_Serreyn
Jump to solution

Definitely good way to go about it, agree.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events