Importing External Custom Intelligence Feeds in SmartConsole
Custom Intelligence Feeds lets you fetch feeds from a third-party server directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be enforced by the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. blades. The Custom Intelligence Feeds feature helps you manage and monitor indicators with minimal operational overhead.
Before you start - In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.
Step |
Instructions |
---|---|
1 |
In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.
If you are working with Autonomous Threat Prevention, go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators. |
2 |
Click New and select External IoC Feed. The Indicator configuration window opens. |
3 |
In the top field, enter a unique object name. |
4 |
In the Feed URL field, enter the full URL that starts with |
5 |
Select an Action for this indicator:
|
6 |
Select Use gateway proxy for connection, if the Security Gateway must connect to the external feed through a proxy server. |
7 |
In the Authentication section, enter the applicable username and password, if the external feed requires authentication. |
8 |
Configure the Custom feed settings. |
9 |
Click Test Connectivity to make sure the Security Gateways can get this feed: |
10 |
Click OK. The new indicator appears on the Indicators page. |
11 |
Install the Threat Prevention Policy. |
|
Note - The Security Gateways fetch the configured feeds every 30 minutes and enforce them immediately without the need to install a Threat Prevention Policy. To change the fetching interval:
|
Limitations
-
External Indicators of Compromise (IoC Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher.
-
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
-
Policy installation does not fail if a Security Gateway cannot get a feed.
In this case, the Security Gateway generates a control log.