@AntE That seems to align with what I was told. Deployment of an authenticated feed via 81.20 management seems to work the best verses the CLI method; especially for a large environment. As you can see with your 'ioc_feeds add' statement, you would then be prompted for the password right afterwards to enter. Now...imaging doing that on 50+ clusters (100+ gateways) 😞
After playing around in my lab more, I do wish they had the "obfuscated_password" option via CLI. When it came to deployment planning, you could at least control the deployment via CLI in batches. I haven't see where you can put in an 'exception' or 'install on' option for the IOC feeds. Its seems like once you configure it, it gets installed on any thread profile where you have indicators activated in your profile and have the appropriate blades enabled (i.e. Anti-virus/Anti-bot). While l like the ease of deployment out to prod with just a threat policy install, it would be nice to have more controls here on 'where' you deploy them
(Note to anyone: if there is some documentation I am missing on that non-cli ability, kindly point me in the right direction ;))
The ability to 'test' the feed is what I found to be off here between R81.20 Management and non-R81.20 gateways. I believe that is different from R81.10 'testing' before. The way I understood the 'test connection' on R81.10 management is that it just tested the credentials/connection from your smartconsole source. On R81.20, I think they reach out to the gateway you select and actually run a test feed setup to validate not only the credentials/connection to the server but also the content based on your filter feed settings. If my assumption is correct, I am thinking that Checkpoint has that R81.20 warning simply cause its the only version they can assure will work. My hope is that it will be allowed on previous versions via some JHF or if its allowed on R81.10 out of the box already, maybe fix that language in the warning ;))
Oh....and TAC did fix my feed filtering issues. Evidently, you have to use 'space' as the delimiter on the feed example I mentioned. REALLY wish that there was something noted in some SK or in the R81.20 Threat guides that breaks those options down 🤔 There is clearly differences in the smartconsole options between R81.10 & R81.20 and can't seem to find docs that support those change options for customers to reference .
Lastly, I did a quick review of the latest jumbo release for R81.10 (Take 110). Don't see the username fix included yet (i.e. lowercase only limitation) so i assume that is going to be in another release.