This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_khard
Employee
Employee
‎2023-10-15 09:54 AM
Jump to solution

Unable to get IoC working

Hi All, 

I'm trying to play around with External IoC Feeds from .csv file uploaded to the Standalone device (lab setup).

I've successfully uploaded the IoC file which is of Check Point Format .csv

#Uniq-Name #Value #Type #Confidence #Severity #Product #Comment
observ1 *.facebook.com URL high high AV "Malicious IP"

 

Once the file was uploaded, I've even tried to push policy as well. However I'm still able to ping www.facebook.com

I've checked the free disk is more than 40% and memory utilization is around 40%. - Since it was written in the known limitations. 

 

Is there something which I'm missing ? 

Preview file
37 KB
Preview file
38 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2023-10-17 11:36 AM
In response to _khard
Jump to solution

Hey @_khard 

Got it working with help of my good colleague. So, we checked the config and he said to me "Hey, is it possible wildcard is not allowed in ioc file?" and I was thinking, hm, he has a point and BAM, as soon as we replaced *.facebook.com with www.facebook.com, deleted the ioc feed and reimported the file, all worked like a charm.

I attached the file with screenshots.

You may want to submit RFE for this, since you work for CP, so it would probably mean more coming from you than me LOL

Anyway, file attached and if you have any more questions, happy to show you my lab, it has most things configured in it.

Kind regards,

Andy

View solution in original post

Preview file
313 KB
0 Kudos
20 Replies
the_rock
Legend
Legend
‎2023-10-15 10:03 AM
Jump to solution

Send the csv file you used, I will test it in the lab.

Andy

0 Kudos
_khard
Employee
Employee
‎2023-10-15 10:39 AM
In response to the_rock
Jump to solution

Here's the .csv file. 

Preview file
1 KB
0 Kudos
the_rock
Legend
Legend
‎2023-10-15 11:34 AM
In response to _khard
Jump to solution

Might do it tomorrow and let you know. Btw, you can easily tell yourself why it fails...just check the logs, route, capture...etc.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-15 03:19 PM
In response to _khard
Jump to solution

@_khard Suggest you take this internally for resolution please. 

These spaces are intended for customers / partners to ask questions.

CCSM R77/R80/ELITE
0 Kudos
(3)
the_rock
Legend
Legend
‎2023-10-15 04:22 PM
In response to Chris_Atkinson
Jump to solution

I see what you are saying Chris, but in my opinion, we are all here to help one another. As far as Im concerned, I never care whether its a CP employee or anyone else posting a question, makes no difference to me.

I will always do my best to help, thats all.

Cheers mate.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-15 04:21 PM
In response to _khard
Jump to solution

Hey,

Sorry about the delay, my colleagues were doing lots of changes to our lab, so took bit longer than expected. I just tested this, and works fine for me. I have real good R81.20 lab, happy to show you what I did.

Andy

0 Kudos
_khard
Employee
Employee
‎2023-10-15 08:15 PM
In response to the_rock
Jump to solution

Hi @the_rock , 

So you're saying that with the file I provided your internal network machines were not able to ping/telnet *.facebook.com ?

Yes, if you could show me that would be great. Let me know how you want to connect. 

0 Kudos
the_rock
Legend
Legend
‎2023-10-15 08:20 PM
In response to _khard
Jump to solution

No...what Im saying is I was going to facebook fine from machine behind the lab cluster. I will see if I can get it working right tomorrow.

 

Good night.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 05:41 AM
In response to _khard
Jump to solution

I got access to the lab, so will try work on this today when I have time. I see that access to facebook is allowed based on layered rules, so I have a feeling there is something else "missing" in order to make IoC feed work properly.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 09:11 AM
In response to _khard
Jump to solution

K, just did some more testing, but no luck. Im occupied with important Fortinet stuff today, but here are my thoughts and I could be mistaken when I say this, but maybe someone else can confirm. I dont believe its enough to just put website/category in there via CSV file for indicator and enable say AV blade and that will auto block those sites. When I test facebook, works fine, though yes, I do have https inspection enabled, but category for FB is NOT blocked, so thats why it works.

Personally, I do NOT think trying to do this via IoC would suffice, since its related to either AV or AB blades, but as far as blocking sites, thats strictly regarding URLF blade.

Again, I could be totally way off here, but thats my logical approach...

Kind regards,

Andy

0 Kudos
_khard
Employee
Employee
‎2023-10-16 09:36 AM
In response to the_rock
Jump to solution

Thank you @the_rock for putting so much effort.

Appreciate your help.

 

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 09:37 AM
In response to _khard
Jump to solution

Any time mate, pleasure to help the best I can. Please let us know what you find.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 11:36 AM
In response to _khard
Jump to solution

Hey @_khard 

Got it working with help of my good colleague. So, we checked the config and he said to me "Hey, is it possible wildcard is not allowed in ioc file?" and I was thinking, hm, he has a point and BAM, as soon as we replaced *.facebook.com with www.facebook.com, deleted the ioc feed and reimported the file, all worked like a charm.

I attached the file with screenshots.

You may want to submit RFE for this, since you work for CP, so it would probably mean more coming from you than me LOL

Anyway, file attached and if you have any more questions, happy to show you my lab, it has most things configured in it.

Kind regards,

Andy

Preview file
313 KB
0 Kudos
_khard
Employee
Employee
‎2023-10-17 11:03 PM
In response to the_rock
Jump to solution

Hi @the_rock, Thanks for pointing this one out. I went through the documentation again and saw it doesn't support non-fqdns like network feeds does. 

Thank you again for your support. 

0 Kudos
the_rock
Legend
Legend
‎2023-10-18 03:31 AM
In response to _khard
Jump to solution

Sure, no problem, glad to help.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-10-17 04:32 PM
In response to _khard
Jump to solution

Also, forgot to say, though Im sure you know this, you can customize block page with different logos and messages (its under user check objects in object explorer and it can be set as per TP profile policy).

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-16 03:09 PM
Jump to solution

IoC feeds are enforced by the AntiBot/AntiVirus blades, which I don't think block ICMP.
Best to use Network Feeds in R81.20, which can be directly used in the Access Policy.

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 03:22 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy Can IoC indicator be used to block specific URL?

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-16 04:12 PM
In response to the_rock
Jump to solution

Yes, the example in sk132193 even includes one (subject to HTTPS Inspection configuration).

0 Kudos
the_rock
Legend
Legend
‎2023-10-16 04:17 PM
In response to PhoneBoy
Jump to solution

No idea what Im missing then...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events