Re: Verifying Threat Intelligence Import using Cus...

TSOL · ‎2024-11-07

Hello Team

We have configured a custom feed as we aim to detect threats using our managed blacklist.

However, it is not functioning properly, and we need to determine whether the import has failed or if there is a configuration error.

Is there a way to verify the imported threat intelligence?

Thank you for the advice.

PhoneBoy · ‎2024-11-07

Did you try the troubleshooting steps here? https://support.checkpoint.com/results/sk/sk132193

TSOL · ‎2024-11-10

Thank you.

It seems that the retrieval of custom blacklists, such as "hxxp://balcklist-A.net", within the "$FWDIR/external_ioc/Indicator-A/indicator-A_https" file has been successful.
However, it appears that PCs under the gateway are still able to access sites on that blacklist.

When using original indicators, are they applied through custom policies in the same way as other antivirus solutions?

Are there any special configurations required for this?

I would appreciate any advice you could provide.

PhoneBoy · ‎2024-11-11

Can you confirm what blades are active on the gateway in question?
Last I knew, this feature requires Anti-Virus and Anti-Bot to be enabled.

TSOL · ‎2024-11-11

Yes,in my environment, I believe the Anti-Bot and Anti-Virus blades are enabled as shown in the screen below.

if you have any advice, please let me know.

Thank you in advance.

PhoneBoy · ‎2024-11-12

Check the troubleshooting steps here: https://support.checkpoint.com/results/sk/sk132193
TAC may be necessary for further assistance.

Are you a member of CheckMates?

Verifying Threat Intelligence Import using Custom Feed