Importing External Custom Intelligence Feeds in SmartConsole - Custom Threat Prevention
Custom Intelligence Feeds lets you fetch feeds from a third-party server directly to the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be enforced by the Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. and Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. blades. The Custom Intelligence Feeds feature helps you manage and monitor indicators with minimal operational overhead.
|
|
Note - Starting from R81.20, the Check Point Security Gateway can support at least 2 million patterns/observables for these observable types: URL, Domain, IP addresses, and Hashes. The maximum number of supported patterns/observables is limited by the available memory on the Security Gateway. Before the Security Gateway loads more than 2 million patterns/observables, it checks if 50% of the total memory is free. |
To import an external IoC Feed
Before you start - In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected.
In the SmartConsole main view, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.
|
Step |
Instructions |
||
|---|---|---|---|
|
1 |
Click New and select New IoC Feed. The New IoC Feed configuration window opens. |
||
|
2 |
In the top field, enter a unique object name. |
||
|
3 |
In the Action field, select the applicable action:
|
||
|
4 |
In the Feed URL field, enter the full URL that starts with |
||
|
5 |
From the Format drop-down menu, select the applicable format (see sk132193):
|
||
|
6 |
Expand the Advanced section (click the ^ icon on the right side). |
||
|
7 |
In the Authentication section, enter the applicable username and password, if it is necessary to log in to get the external feed. |
||
|
8 |
Select Use gateway proxy for connection, if the Security Gateway must connect to the external feed through a proxy server. |
||
|
9 |
In the Authentication, enter the applicable username and password, if the external feed requires authentication. |
||
|
10 |
Make sure the Security Gateways can get this feed:
|
||
|
11 |
Click OK. The new indicator appears on the Indicators page. |
||
|
12 |
Install the Threat Prevention Policy. |
|
|
Note - The Security Gateways fetch the configured feeds every 30 minutes and enforce them immediately without the need to install a Threat Prevention Policy. To change the fetching interval:
|
Limitations
-
External Indicators of Compromise (IoC
Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher. -
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
-
Policy installation does not fail if a Security Gateway cannot get a feed.
In this case, the Security Gateway generates a control log.