The exception doesn't work that way either.  It's almost as if exceptions through SmartConsole aren't support with Custom Intelligence Feed's but I can't find any documentation stating that or showing a different way to do an them.

I see what you mean. Any difference if you leave protection/site as n/a?

Andy

Good idea.  I tried with the protection / site set to N/A.  When I test traffic again no logs are generated but running zdebug I see the following:

[Expert@SG-1:0]# fw ctl zdebug + drop | grep 185.242.113.224
@;4184305;[kern];[tid_0];[SIM-241965305];pkt_handle_stateless_checks: dropping d ue to dos_pkt_should_drop(), conn: <10.1.1.10,1,185.242.113.224,0,1>;
@;4184305;[kern];[tid_0];[SIM-241965305];do_packet_finish: SIMPKT_IN_DROP vsid=0 , conn:<10.1.1.10,1,185.242.113.224,0,1>;
@;4185381;[kern];[tid_0];[SIM-241965305];pkt_handle_stateless_checks: dropping due to dos_pkt_should_drop(), conn: <10.1.1.10,1,185.242.113.224,0,1>;
@;4185381;[kern];[tid_0];[SIM-241965305];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.1.1.10,1,185.242.113.224,0,1>;
@;4186459;[kern];[tid_0];[SIM-241965305];pkt_handle_stateless_checks: dropping due to dos_pkt_should_drop(), conn: <10.1.1.10,1,185.242.113.224,0,1>;
@;4186459;[kern];[tid_0];[SIM-241965305];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.1.1.10,1,185.242.113.224,0,1>;
@;4187515;[kern];[tid_0];[SIM-241965305];pkt_handle_stateless_checks: dropping due to dos_pkt_should_drop(), conn: <10.1.1.10,1,185.242.113.224,0,1>;
@;4187515;[kern];[tid_0];[SIM-241965305];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:<10.1.1.10,1,185.242.113.224,0,1>;

Seems to me that pings are dropped based on that...

Andy

If I delete the exception the pings are then dropped by the blacklist again.  If I turn of the custom intelligence feed the pings work as expected. 

Not sure, sorry...maybe worth TAC case to verify. Please share the solution once its fixed.

Best,

Andy

Will do.  In the meantime if someone from Check Point can chime in and let me know if this is even supported or not I would really appreciate it.

Im curious too, for sure. In the meantime, I will keep digging to see if there is a way...

Andy

Hi Tim,

Thank you for the great info!

I tried with selectively disabling SecureXL for the destination IP and had the same results, assuming I edited the table.def file correct:

[Expert@SMS-1:0]# vi $FWDIR/lib/table.def

f2f_addresses={<185.242.113.224>};

If I use the exception the way SmartConsole creates it from the log card option with the source being the protected scope traffic to the destination continues to be dropped by the threat prevention blacklist.

If I change the exception that SmartConsole created in anyway such as moving the host object in the protected scope to the source or adding the destination IP to the destination field I then see the drops in zdebug.

In my lab environment I turned off SecureXL on the gateway with fwaccel off just incase my addition to the table.def file wasn't correct and had the same results.

Thinking about it more, disabling SecureXL won't matter as the optimal drop occurs long before it even figures out what path the connection should be handled in.  It still sounds like the exception you created is not being integrated into the optimal drop calculation inside sim, but this may be the case on a Firewall Worker Core as well if exceptions cannot be applied against custom indicators at all as you suspected initially.  Let me tag @Peter_Elmer and hopefully have him weigh in.

Very fresh from R81.20 JHF T43 from today:

Would be nice to know, how to do it. Just an exception for the relevant TP policy rule, like you tried?

Im installing it in my lab atm, lets see : - )

Andy

I wonder if this will be added to 81.10....

I just innstalled jumbo 43 in the lab, pushed policy, literally no new options for TP exceptions for IOC, at least that I can see.

Best,

Andy

Try creating a regular Threat Prevention exception in the policy.

Hi PhoneBoy, I have tried and it doesn't work either.

No dice either...

Andy

So even in 81.20 with jha take 43 installed any created exceptions for the ioc feeds simply don't work and the traffic is still prevented?

correct

Very interesting.  Thank you for sharing.

Any time.

Andy

Hello @Timothy_Hall , @Mike_Jensen ,

reading the all updates on 9-Jan here are my thoughts:

• I contacted @TPExpert offline to understand how we can achieve the required documentation of the whitelisting feature introduced in R81.20 JHF T43.
• The R81.20 is the recommended release for now and backporting the feature to R81.10 would require a formal RFE process. Don't expect this to be in a JHF for R81.10 without contacting your local sales contact and initiating the RFE process. I personally don't see such an RFE being done, as the R81.20 packet processing for IoC feeds has improved in general. I strongly suggest following the recommended release train.
• I searched for a flow diagram showing that IoC feed content is inserted into SecureXL. I recall such a diagram was in the sk92264 Anti-Virus and Anti-Bot ATRG but I can't find it anymore for now. I know from testing IoC feeds in R81.10 that observables where injected in SecureXL.
• The zdebug indicate 'dos' ...that made me searching SecureXL Penalty Box sk112454 . I don't have the reverse engineering proof that Penalty Box is 'feeded' by IoC. 

I am sorry, that by the time of this writing above is the best I can share as current business travels are limiting access to test lab.

From a design point of view, the IoC feed should be updated not to require exceptions - in other words: can we improve the source of the IoC? Exceptions are making 'life' complicated and 'complexity' is not a friend of 'security'.

If exceptions are required, the Threat Prevention rule bases is best using src/dest logic - not the the 'protected scope' logic. The src/dst logic makes it easier mapping Access Control rules and help 'reading' the Access Control and Threat Prevention policies.

Please let me know if more help is needed here.

greetings

pelmer 

I submitted a RFE for this to be added to 81.10, feedback reference # 33a5qvL18.  It would be nice if Check Point can add this feature to R81.10 considering the OS is still supported until July 31 2025.

Lets hope so.

If you saw the message from @TPExpert below, we are already planning to add this in the R81.10 JHF.
However, if you're using large IoC feeds, I strongly recommend upgrading your gateways (and management) to R81.20 which supports more than 2 million IoCs per feed and parses the feeds much more efficiently.

Hi,

Thank you for the information.

For an exclusion in R81.10 to we change the ip_whitelist.eng file on the security gateway or the SMS?

Can you please provide an example for the syntax to add a IP as a end-of-line delimiter?