Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
oktaycebeci
Participant
Jump to solution

IOC Feeds does not work properly

Hello everyone.

 

One of our customer asked for adding IOC feed on R81 version (firewall's Anti-bot, Anti-virus and IPS blades are enabled). First, we tried to import the file Indicators. However, we failed because of file size which is approximately 10 MB. Then, we tried to  separate files, which file sizes are lower than 4 MB, and add them via "ioc_feeds add ..." command. The first ioc feed added successfully. Showed us no error but when we tried to add the second one, feed showed us "Signatures load failed" and "Status: General Error" (images are from our test environment).

 

Screenshot_1.png

 

On the smart console, firewall status shows us an error that "Anti-Bot: Failed to prepare reputation DB".

 

Screenshot_2.png

 

Any advise about this problem?

 

Best regards

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Upgrade to R81.20, which has substantially upgraded infrastructure to support large numbers of indicators.

In R81.10 and earlier, the Pattern Matcher is used, which is also used by other features (IPS, App Control, etc).
The PM itself has a character limit, which you are surely exceeding with more than 215000 entries. 

View solution in original post

4 Replies
Ruan_Kotze
Advisor

How many entries in your file?  I'm guessing you're running into the limit for R81, having said that, I have not seen a hard limit published anywhere.

For what it's worth, R81.20 does bring support for "a significantly increased capacity in the number of observables for URLs, Domains, IP addresses, and Hashes - 2 million and up to hardware limit"

Regards,
Ruan

 

oktaycebeci
Participant

Hello Ruan,

In total, all of our three .csv files have 215000 entries for now and the entry number increases everyday (for example 5-10 new malicious links everyday).

Best Regards

Oktay

0 Kudos
PhoneBoy
Admin
Admin

Upgrade to R81.20, which has substantially upgraded infrastructure to support large numbers of indicators.

In R81.10 and earlier, the Pattern Matcher is used, which is also used by other features (IPS, App Control, etc).
The PM itself has a character limit, which you are surely exceeding with more than 215000 entries. 

oktaycebeci
Participant

Hello PhoneBoy and Ruan_Kotze,

 

Thank you for all informations you have shared.

 

Best Regards

 

Oktay

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events