Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gilles_Menage
Participant

IOC feed detect not effective

Hello,

I'm deploying a remote IOC feed.

The feed is successfuly retrieved and parsed by the firewall:

# ioc_feeds show
Feed Name: shk-ioc-ctl
Feed is Active
File will be fetched via HTTPS
Resource: https://###REDACTED_FQDN###/ioc.csv
Action: Prevent
Proxy:
User Name:
Feed is centrally managed
# cat /opt/CPsuite-R81.10/fw1/external_ioc/shk-ioc-ctl/shk-ioc-ctl_https_custom.csv | grep ###REDACTED_IP###
observ9,###REDACTED_IP###,ip,,,,

However, while testing trafic from and to this specific ###REDACTED_IP###, I get no prevent logs.

I would like to know how can I troubleshoot/debug the filtering part of this feature?

Thanks,

 

Edit: Fixed "Action: Detect -> Prevent" in log message

0 Kudos
4 Replies
Chris_Atkinson
Employee
Employee

The Action of the feed status shows "detect" not prevent?

0 Kudos
Gilles_Menage
Participant

Sorry, it's a copy-paste from a previous test where the feed was first configured in "detect".

Issue is seen in "prevent" state too as nothing is logged and attacker trafic is allowed.

PhoneBoy
Admin
Admin

0 Kudos
Gilles_Menage
Participant

Gateways are all R81.10 HFA66.

Will look into debugging AntiBot.

Thanks.

0 Kudos