Solved: Re: defense shield

Daniel_Kavan · ‎2022-10-17

Good morning!

Just curious whatever happened to the old "defense shield" defense? It used a dynamic object to update known malicious IP addresses & attackers automatically. I did a search on "defense shield" in both the community and support and nothing comes up.

G_W_Albrecht · ‎2022-10-17

No, here it is: sk21534: How to configure and troubleshoot IPS protection "Malicious IPs" (DShield Storm Center)

But: In order to block designated IP list, Check Point strongly recommend to use the Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

G_W_Albrecht · ‎2022-10-17

No, here it is: sk21534: How to configure and troubleshoot IPS protection "Malicious IPs" (DShield Storm Center)

But: In order to block designated IP list, Check Point strongly recommend to use the Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Daniel_Kavan · ‎2022-10-17

Ok, so sk132193 works with the AV & AB & IPS (malicious IPs defense), no further action is required other than manually updating & distributing the list weekly, monthly, daily? So, if the IPS is inactive AV & AB can pick up on it.

No feeds are being found when trying to run (see ioc_feeder.elg belows) on a R81.10 JHF66 gw.

ioc_feeds export (this fails)
2 ioc_feeds add --feed_name remote_stix_file --transport http --resource "http://www.public_indicators.com/ioc_stix_file.xml" --test true (this runs fine)

[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] ioc_main[198] ::main: [INFO] Start getting external Indicators
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[594] ::ext_ioc_load_local_set: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[557] ::ext_ioc_gw_db_ex: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.gw_set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[684] ::isBladsOn: [INFO] anti_malware_blade on
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[989] ::run: [INFO] start
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[213] ::init: [INFO] Init feeder manager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[248] ::init: [INFO] SSL validation is off
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[178] ::init: [INFO] init called
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[90] ::iocExtractCurDirNum: [INFO] s_cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[206] ::init: [INFO] init done
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[360] ::getCurrentIOCDir: [INFO] dir /opt/CPsuite-R81.10/fw1/amw/ext_ioc/cur
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[367] ::getCurrentIOCDir: [INFO] cur_dir /opt/CPsuite-R81.10/fw1/amw/ext_ioc/0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[381] ::getCurrentIOCDir: [INFO] cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[219] ::getCurrentIOCIPSDir: [INFO] start
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[221] ::getCurrentIOCIPSDir: [INFO] dir /opt/CPsuite-R81.10/fw1/ips/ioc_snort/cur
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[228] ::getCurrentIOCIPSDir: [INFO] cur_dir /opt/CPsuite-R81.10/fw1/ips/ioc_snort/0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[242] ::getCurrentIOCIPSDir: [INFO] s_cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[261] ::init: [INFO] call to pack init
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeedPackger[122] ::init: [INFO] Init feeder packager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[557] ::ext_ioc_gw_db_ex: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.gw_set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[122] ::read_proxy_settings: [WARN] failed to get proxy_str
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[493] ::read: [INFO] Fetching interval is 300
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[428] ::setDefaulteCABundle: [INFO] m_ioc_cert_bundle /opt/CPsuite-R81.10/fw1/database/ca_bundle.pem
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[498] ::read: [INFO] Using cert bundle /opt/CPsuite-R81.10/fw1/database/ca_bundle.pem
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[507] ::read: [INFO] Starting to parse conf file
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[1018] ::run: [INFO] Running feed manager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[1022] ::run: [INFO] No feeds found
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] ioc_main[240] ::main: [ERROR] run failed

G_W_Albrecht · ‎2022-10-17

To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

defense shield