Importing External Custom Intelligence Feeds in SmartConsole

Custom Intelligence Feeds lets you fetch feeds from a third-party server directly to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be enforced by the Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-BotClosed Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. blades. The Custom Intelligence Feeds feature helps you manage and monitor indicators with minimal operational overhead.

Note - Starting from R81.20, the Check Point Security Gateway can support at least 2 million patterns/observables for these observable types: URL, Domain, IP addresses, and Hashes. The maximum number of supported patterns/observables is limited by the available memory on the Security Gateway. Before the Security Gateway loads more than 2 million patterns/observables, it checks if 50% of the total memory is free.

Before you start - In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.

Step

Instructions

1

In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.

 

If you are working with Autonomous Threat Prevention, go to Security Policies > Threat Prevention > Autonomous Policy > Autonomous Policy Tools > Indicators.

2

Click New and select New IoC Feed.

The New IoC Feed configuration window opens.

3

In the top field, enter a unique object name.

4

In the Action field, select the applicable action:

  • Prevent - Threat Prevention Software Blades block the detected observable.

  • Detect - Threat Prevention Software Blades create a log, and lets the detected observable go through.

  • Inactive - Disables this feed (Security Gateways ignore it).

5

In the Feed URL field, enter the full URL that starts with http:// or https://.

6

In the Feed Parsing section, from the Format drop-down menu, select the applicable format (see sk132193):

  • Check Point format/STIX - Configure the applicable feed parsing setting.

  • Custom CSV - Configure the applicable feed parsing settings.

7

Expand the Advanced section (click the ^ icon on the right side).

8

In the Authentication section, enter the applicable username and password, if the external feed requires authentication.

9

In the Network section, select Use gateway proxy for connection, if the Security Gateway must connect to the external feed through a proxy server.

11

Make sure the Security Gateways can get this feed:

  1. Click Test Feed.

  2. From the Select gateway drop-down menu, select the applicable Security Gateway.

  3. Click Test Feed.

  4. Click Close.

Note - The Select gateway menu does not show Virtual Switches.

12

Click OK.

The new indicator appears on the Indicators page.

13

Install the Threat Prevention Policy.

Note - The Security Gateways fetch the configured feeds every 30 minutes and enforce them immediately without the need to install a Threat Prevention Policy.

To change the fetching interval:

  1. From the left navigation panel, click Manage & Settings.

  2. In the top middle pane, click Blades.

  3. In the Threat Prevention section, click Advanced Settings.

  4. From the left tree, click External Feed.

  5. Configure the applicable interval.

  6. Click OK.

  7. Install the Threat Prevention Policy.

Limitations