Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor
Jump to solution

defense shield

Good morning!

Just curious whatever happened to the old "defense shield" defense?   It used a dynamic object to update known malicious IP addresses & attackers automatically.   I did a search on "defense shield" in both the community and support and nothing comes up. 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend
Legend

No, here it is: sk21534: How to configure and troubleshoot IPS protection "Malicious IPs" (DShield Storm Center)

But: In order to block designated IP list, Check Point strongly recommend to use the Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

CCSE CCTE CCSM SMB Specialist

View solution in original post

3 Replies
G_W_Albrecht
Legend
Legend

No, here it is: sk21534: How to configure and troubleshoot IPS protection "Malicious IPs" (DShield Storm Center)

But: In order to block designated IP list, Check Point strongly recommend to use the Custom Intelligence Feeds feature introduced in R80.30 - refer to sk132193.

CCSE CCTE CCSM SMB Specialist
Daniel_Kavan
Advisor

Ok, so sk132193 works with the AV & AB & IPS (malicious IPs defense), no further action is required other than manually updating & distributing the list weekly, monthly, daily?   So, if the IPS is inactive AV & AB can pick up on it.

No feeds are being found when trying to run (see ioc_feeder.elg belows) on a R81.10 JHF66 gw.

ioc_feeds export  (this fails)
2 ioc_feeds add --feed_name remote_stix_file --transport http --resource "http://www.public_indicators.com/ioc_stix_file.xml" --test true  (this runs fine)

[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] ioc_main[198] ::main: [INFO] Start getting external Indicators
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[594] ::ext_ioc_load_local_set: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[557] ::ext_ioc_gw_db_ex: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.gw_set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[684] ::isBladsOn: [INFO] anti_malware_blade on
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[989] ::run: [INFO] start
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[213] ::init: [INFO] Init feeder manager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[248] ::init: [INFO] SSL validation is off
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[178] ::init: [INFO] init called
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[90] ::iocExtractCurDirNum: [INFO] s_cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[206] ::init: [INFO] init done
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[360] ::getCurrentIOCDir: [INFO] dir /opt/CPsuite-R81.10/fw1/amw/ext_ioc/cur
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[367] ::getCurrentIOCDir: [INFO] cur_dir /opt/CPsuite-R81.10/fw1/amw/ext_ioc/0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[381] ::getCurrentIOCDir: [INFO] cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[219] ::getCurrentIOCIPSDir: [INFO] start
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[221] ::getCurrentIOCIPSDir: [INFO] dir /opt/CPsuite-R81.10/fw1/ips/ioc_snort/cur
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[228] ::getCurrentIOCIPSDir: [INFO] cur_dir /opt/CPsuite-R81.10/fw1/ips/ioc_snort/0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCCPSnortParser[242] ::getCurrentIOCIPSDir: [INFO] s_cur_dir_num 0
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[261] ::init: [INFO] call to pack init
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeedPackger[122] ::init: [INFO] Init feeder packager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[557] ::ext_ioc_gw_db_ex: [INFO] read file /opt/CPsuite-R81.10/fw1/state/local/AMW/local.gw_set
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[122] ::read_proxy_settings: [WARN] failed to get proxy_str
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[493] ::read: [INFO] Fetching interval is 300
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[428] ::setDefaulteCABundle: [INFO] m_ioc_cert_bundle /opt/CPsuite-R81.10/fw1/database/ca_bundle.pem
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[498] ::read: [INFO] Using cert bundle /opt/CPsuite-R81.10/fw1/database/ca_bundle.pem
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCConfReader[507] ::read: [INFO] Starting to parse conf file
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[1018] ::run: [INFO] Running feed manager
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] CIOCFeederManger[1022] ::run: [INFO] No feeds found
[20405 4112738176]@fwl-btp-03[17 Oct 9:31:21] ioc_main[240] ::main: [ERROR] run failed

 

0 Kudos
G_W_Albrecht
Legend
Legend

To import external Custom Intelligence Feeds using SmartConsole in versions R81 and higher, refer to: Threat Prevention R81 Administration Guide > Configuring Advanced Threat Prevention Settings > Configuring Threat Indicators > Importing External Custom Intelligence Feeds > Importing External Custom Intelligence Feeds in SmartConsole.

CCSE CCTE CCSM SMB Specialist
0 Kudos