External Network Feeds
A network feed object is a network object that lets you enforce feeds that are generated on external HTTP/HTTPS servers. The feed can contain IP addresses (single or ranges), domains, or both.
For example:
-
Single IP (1.1.1.1)
-
Range (1.1.1.1-2.2.2.2)
-
IP + masklen (1.1.1.1/24)
-
FQDN domain (google.com)
-
Non-FQDN domain (*.google.com)
The feed must be written in a supported format (see below). The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. fetches, parses, and updates the network feed object automatically according to the feed changes on the external source server. There is no need to install policy for the updates to take effect. You can use an external network feed object in the Access Control / HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. / NAT policy as a source, or a destination.
|
Note - Local feeds hosted on the Security Gateway are not supported. |
Use Case
This feature is relevant for any customer who wants to use an external source as a network data provider, and use this data in the Rule Base All rules configured in a given Security Policy. Synonym: Rulebase..
When you use a network feed, the Security Gateway updates the feed automatically, which:
-
Requires less manual maintenance of the feed
-
Reduces the number of policy installations
-
Simplifies policy configuration
|
Notes:
|
To configure external network feeds:
-
In SmartConsole, go to the Object Explorer.
-
Click New > More > Network Object > Network Feed.
The New Network Feed window opens.
-
Configure Network settings:
Feed URL - Configure the URL which gives access to the external server feed.
Best Practice - Use HTTPS and not HTTP.
-
Feed Parsing:
Format - Configure the content structure in the feed, so the Security Gateway knows how to parse the feed. The supported formats are Flat list and JSON.
If you select the Flat list format, configure these settings:
-
Data type - From the drop-down menu, select: Domain, IP Address or IP Address/Domain, so the Security Gateway knows which data type to enforce.
-
Delimiter - Separates between the data values in the feed.
-
Ignore lines with prefix - Defines which lines to ignore in the feed.
If you select the JSON format, configure these settings:
-
Data Type - From the drop-down menu, select: Domain, IP Address or IP Address/Domain, so the Security Gateway knows which data type to enforce.
-
JSON Query - Defined how to extract the data from the feed in JQ syntax. For more information on JQ, visit http://stedolan.github.io/jq/
-
-
Advanced Settings:
-
Authentication - Enter the username and password with which you authenticate to the URL.
-
Network:
-
Use gateway proxy for connection - Select this checkbox to use the proxy when the Security Gateway connects to the external server.
-
Check feed interval - Interval in minutes for the feed update on the Security Gateway. The default is 60 minutes.
-
-
-
Test Feed:
-
Click the Test Feed button to make sure that the Security Gateway can connect to the Feed URL and that the certificate of the server which contains the Feed URL is valid.
The Test Feed window opens.
-
In the Select gateway field, from the drop-down menu, select the Security Gateway on which you want to run the test:
-
If the test succeeds, you get a test completed successfully message.
-
If the test fails, you get an error message.
-
If the test fails because of an invalid certificate, this error message appears: Test failed to authenticate the server certificate.
In this case, you can override the error message and connect to the server if you trust it.
Select Accept certificate anyway to connect to the server.
Note - The "Select gateway" menu does not show VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways and these VSX Virtual Devices: Virtual Systems, Virtual Routers, Virtual Switches.
-
-
-
Click OK.
-
Use the New Network Feed object in your Access Control Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.
-
Install the Access Control policy.
Monitoring
To monitor network feeds on the Security Gateway, run these commands in the Expert mode:
|
Note - In a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., run these commands on all Cluster Members. |
Operation |
Command |
---|---|
See error and warning messages for network feed update events |
|
Get a list of IP addresses for all network feeds that are used in the policy |
|
Get a list of Domains and IP ranges related to a specific network feed |
|
Get a list of Domains associated with a specific IP address |
|
Get a list of IP addresses associated with a specific Domain |
|
Troubleshooting
To debug network feeds on the Security Gateway, run these commands in the Expert mode:
|
Note - In a cluster, run these procedures on all Cluster Members. |
Operation |
Procedure |
||
---|---|---|---|
Collect the kernel debug for network feed matching |
For more information, see the R81.20 Quantum Security Gateway Guide > Chapter Kernel Debug.
|
||
Collect the policy installation debug to see information about network feeds |
|
||
Collect the debug of the network feed update events |
|