External Network Feeds

A network feed object is a network object that lets you enforce feeds that are generated on external HTTP/HTTPS servers. The feed can contain IP addresses (single or ranges), domains, or both.

For example:

  • Single IP (1.1.1.1)

  • Range (1.1.1.1-2.2.2.2)

  • IP + masklen (1.1.1.1/24)

  • FQDN domain (google.com)

  • Non-FQDN domain (*.google.com)

The feed must be written in a supported format (see below). The Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. fetches, parses, and updates the network feed object automatically according to the feed changes on the external source server. There is no need to install policy for the updates to take effect. You can use an external network feed object in the Access Control / HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. / NAT policy as a source, or a destination.

Note - Local feeds hosted on the Security Gateway are not supported.

Use Case

This feature is relevant for any customer who wants to use an external source as a network data provider, and use this data in the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase..

When you use a network feed, the Security Gateway updates the feed automatically, which:

  • Requires less manual maintenance of the feed

  • Reduces the number of policy installations

  • Simplifies policy configuration

Notes:

To configure external network feeds:

  1. In SmartConsole, go to the Object Explorer.

  2. Click New > More > Network Object > Network Feed.

    The New Network Feed window opens.

  3. Configure Network settings:

    Feed URL - Configure the URL which gives access to the external server feed.

    Best Practice - Use HTTPS and not HTTP.

  4. Feed Parsing:

    Format - Configure the content structure in the feed, so the Security Gateway knows how to parse the feed. The supported formats are Flat list and JSON.

    If you select the Flat list format, configure these settings:

    • Data type - From the drop-down menu, select: Domain, IP Address or IP Address/Domain, so the Security Gateway knows which data type to enforce.

    • Delimiter - Separates between the data values in the feed.

    • Ignore lines with prefix - Defines which lines to ignore in the feed.

    If you select the JSON format, configure these settings:

    • Data Type - From the drop-down menu, select: Domain, IP Address or IP Address/Domain, so the Security Gateway knows which data type to enforce.

  5. Advanced Settings:

    • Authentication - Enter the username and password with which you authenticate to the URL.

    • Network:

      • Use gateway proxy for connection - Select this checkbox to use the proxy when the Security Gateway connects to the external server.

      • Check feed interval - Interval in minutes for the feed update on the Security Gateway. The default is 60 minutes.

  6. Test Feed:

    1. Click the Test Feed button to make sure that the Security Gateway can connect to the Feed URL and that the certificate of the server which contains the Feed URL is valid.

      The Test Feed window opens.

    2. In the Select gateway field, from the drop-down menu, select the Security Gateway on which you want to run the test:

      • If the test succeeds, you get a test completed successfully message.

      • If the test fails, you get an error message.

      • If the test fails because of an invalid certificate, this error message appears: Test failed to authenticate the server certificate.

        In this case, you can override the error message and connect to the server if you trust it.

        Select Accept certificate anyway to connect to the server.

      Note - The "Select gateway" menu does not show these VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual Devices: Virtual Systems, Virtual Routers, Virtual Switches.

  7. Click OK.

  8. Use the New Network Feed object in your Access Control RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.

  9. Install the Access Control policy.

Monitoring

To monitor network feeds on the Security Gateway, run these commands in the Expert mode:

Note - In a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., run these commands on all Cluster Members.

Operation

Command

See error and warning messages for network feed update events

grep -i <Name of Network Feed> $FWDIR/log/efo_error.elg

Get a list of IP addresses for all network feeds that are used in the policy

dynamic_objects -efo_show

Get a list of Domains and IP ranges related to a specific network feed

dynamic_objects -efo <Name of Network Feed>

Get a list of Domains associated with a specific IP address

domains_tool -ip <IP Address>

Get a list of IP addresses associated with a specific Domain

domains_tool -d <Name of Domain>

Troubleshooting

To debug network feeds on the Security Gateway, run these commands in the Expert mode:

Note - In a cluster, run these procedures on all Cluster Members.

Operation

Procedure

Collect the kernel debug for network feed matching

Important - This kernel debug causes high CPU load. Schedule a maintenance window.

For more information, see the R81.20 Quantum Security Gateway Guide > Chapter Kernel Debug.

  1. Configure the kernel debug options:

    fw ctl debug 0

    fw ctl debug -buf 8200

    fw ctl debug -m RAD_KERNEL all

    fw ctl debug -m DOMO all

    fw ctl debug -m UP all

  2. Examine the kernel debug settings:

    fw ctl debug -m

  3. Start the kernel debug:

    fw ctl kdebug -T -f > /var/log/kernel_debug.txt

  4. Replicate the issue.

  5. Stop the kernel debug - press the CTRL+C keys.

  6. Reset the kernel debug options:

    fw ctl debug 0

  7. Analyze the kernel debug output file:

    /var/log/kernel_debug.txt

Collect the policy installation debug to see information about network feeds

  1. In the first shell, start the debug:

    fw -d fetchlocal -d $FWDIR/state/__tmp/FW1/ >> /var/log/policy_installation.txt 2>&1

  2. In the second shell, monitor the output file:

    tail -f /var/log/policy_installation.txt

  3. In the first shell, stop the debug:

    Press the CTRL+C keys.

  4. In the second shell, stop monitoring the output file:

    Press the CTRL+C keys.

  5. Analyze the debug output file:

    /var/log/policy_installation.txt

Collect the debug of the network feed update events

  1. In the first shell, start the debug:

    TDERROR_ALL_ALL=1 dynamic_objects -efo_update <Name of Network Feed> >> /var/log/network_feed_update.txt 2>&1

  2. In the second shell, monitor the output file:

    tail -f /var/log/network_feed_update.txt

  3. In the first shell, stop the debug:

    Press the CTRL+C keys.

  4. In the second shell, stop monitoring the output file:

    Press the CTRL+C keys.

  5. Analyze the debug output file:

    /var/log/network_feed_update.txt