Importing External Custom Intelligence Feeds in SmartConsole

Custom Intelligence Feeds lets you fetch feeds from a third-party server directly to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be enforced by the Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. blades. The Custom Intelligence Feeds feature helps you manage and monitor indicators with minimal operational overhead.

Step

Instructions

1

In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.

 

If you are working with Autonomous Threat Prevention, go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators.

2

Click New and select External IoC Feed.

The Indicator configuration window opens.

3

In the top field, enter a unique object name.

4

In the Feed URL field, enter the full URL that starts with http:// or https://.

5

Select an Action for this indicator:

  • Prevent - Threat Prevention Software Blades block the detected observable.

  • Detect - Threat Prevention Software Blades create a log, and lets the detected observable go through.

6

Select Use gateway proxy for connection, if the Security Gateway must connect to the external feed through a proxy server.

7

In the Authentication section, enter the applicable username and password, if the external feed requires authentication.

8

Configure the Custom feed settings.

9

Click Test Connectivity to make sure the Security Gateways can get this feed:

10

Click OK.

The new indicator appears on the Indicators page.

11

Install the Threat Prevention Policy.

Note - The Security Gateways fetch the configured feeds every 30 minutes and enforce them immediately without the need to install a Threat Prevention Policy.

To change the fetching interval:

  1. From the left navigation panel, click Manage & Settings.

  2. In the top middle pane, click Blades.

  3. In the Threat Prevention section, click Advanced Settings.

  4. From the left tree, click External Feed.

  5. Configure the applicable interval.

  6. Click OK.

  7. Install the Threat Prevention Policy.

Limitations