Importing External Custom Intelligence Feeds in SmartConsole

In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., go to the applicable Threat Prevention profile > Indicators > Activation > make sure that Enable indicator scanning is selected.

Click New and select New IoC Feed.

The New IoC Feed configuration window opens.

In the Action field, select the applicable action:

For the Check Point / STIX or custom CSV formats, select one of these actions:

• Prevent - Threat Prevention Software Blades block the detected observable.

• Detect - Threat Prevention Software Blades create a log, and lets the detected observable go through.

• Inactive - Disables this feed (Security Gateways ignore it).

For the Snort format, select one of these actions:

• According to Profile - Enforcement of the feed according to profile settings.

• Inactive - Disables this feed (Security Gateways ignore it).

From the Format drop-down menu, select the applicable format (see sk132193):

• Check Point format/STIX - Configure the applicable feed parsing settings.

• Custom CSV - Configure the applicable feed parsing settings.

• Snort - Configure the applicable feed parsing settings.
  To use the Snort format, you must first:

  1. Enable the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities..

  2. Install the Threat Prevention policy.

  Configure these settings:

  • In Ignore lines with prefix - Use the default prefix or define a different one.

  • Enter the feed's Performance, Severity and Confidence levels. These definitions determine the profile action, which is then applied to the feed. For example, if you set the feed's severity as high, and the profile is configured to prevent high-severity threats, the traffic will be blocked.

In the Authentication section, enter the applicable username and password, if the external feed requires authentication.

Make sure the Security Gateways can get this feed:

1. Click Test Feed.

2. From the Select the Security Gateway drop-down menu, select the applicable Security Gateway or Security Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

   Note - Starting from R82 Jumbo Hotfix Accumulator Take 103, you can test the feed on all individual Cluster Members or on the cluster virtual IP address. This feature is available for all clusters types except VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster.

3. Click Test Feed.

4. Click Close.

The Security Gateway fetches the configured feeds every 30 minutes and enforce them immediately.

To change the fetching interval:

1. From the left navigation panel, click Manage & Settings. > Blades > Threat Prevention > Advanced Settings.

2. From the left tree, click External Feed.

3. Configure the applicable interval.

4. Click OK.