Importing External Custom Intelligence Feeds in SmartConsole
You can import threat indicator feeds from external sources directly to the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After you import the feeds for the first time and install policy, the Security Gateway automatically pulls and enforces the indicator file each time the file is updated. The Security Gateway imports the file over HTTP or HTTPS, or by reading from a local file or folder.
|
Important - You must import the feed files on each Security Gateway and Cluster Member |

Step |
Instructions |
---|---|
1 |
Go to the applicable profile > Indicators > Activation > make sure that Enable indicator scanning is selected. |
2 |
In the SmartConsole![]() |
3 |
In the bottom left section, click Custom Policy Tools. |
4 |
Click Indicators. |
5 |
Click New and select External IOC feed. The Indicator feed configuration window opens. |
6 |
Enter these details:
|
7 |
In the Authentication, enter the applicable username and password, if the external feed requires authentication. |
8 |
If the feed is not in Check Point CSV format, click Custom feed settings to adjust it to your needs. See sk132193 for instructions. Custom feed settings are disabled by default. |
9 |
Configure the settings in Fields to Column number mappings. |
10 |
Click Test Connectivity to check if the feed runs properly. |
11 |
Click OK. The new indicator shows in the Indicators page. |
12 |
The feeds defined will be fetched every 30 minutes and enforced immediately on the gateway with no need to install a Policy.
To change the fetching interval, go to Manage & Settings > Blades > Threat Prevention > Advanced Settings, go to External Feed, and select the applicable interval.
Limitations
-
External Indicators of Compromise (IoC
Indicator of Compromise. Artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of Malware files, or URLs or domain names of botnet command and control servers. Identified through a process of incident response and computer forensics, intrusion detection systems and anti-virus software can use IoC's to detect future attacks.) added in SmartConsole are supported only on Security Gateways R81 and higher.
-
IoC feeds are fetched on all connections and are not affected by Threat Prevention Policy.
-
Policy installation does not fail if a feed is inaccessible. In this case, the Security Gateway only generates a control log can be seen in the Logs view.