¶ External List Integration - Checkpoint Firewall
Check Point Firewall supports integration of external threat intelligence lists to enhance real-time protection. It allows importing IOCs such as IPs, domains, and URLs from trusted sources using supported formats like CSV or TXT.
¶ Prerequisites:
¶ 1. Software Versions:
- Security Management Server (SMS): Should be running R81 or higher to utilize the SmartConsole GUI for IOC feed integration.
- Security Gateways: While gateways can be on R80.40 or higher, optimal compatibility is achieved with R81 or above.
¶ 2. Enabled Blades:
- Ensure that the Threat Prevention blade is active on both the SMS and the Security Gateways. Check Point CheckMates
¶ 3. Network Accessibility:
- The Security Gateways must have network access to the external feed source, typically over HTTP or HTTPS.
¶ Requirements:
¶ 1. Supported IOC Types:
Check Point supports various IOC types, including:
- IP Addresses
- Domains
- URLs
- File Hashes (MD5, SHA1, SHA256)
- Email Addresses
- Custom Snort Rules
¶ 2. Feed Formats:
Accepted formats for external feeds include:
- Check Point CSV Format (.csv)
- Custom CSV Format (.csv)
- STIX 1.x XML Format (.xml)
- Snort Format (.txt)
While the file extension can be .txt, the content must conform to one of the supported formats. For instance, a .txt file containing indicators in a structured format, such as a list of IP addresses or domains, can be used as a Custom CSV feed. In this case, you would specify the appropriate parsing settings during feed configuration
¶ 3. Feed Hosting:
- Feeds should be hosted on a server accessible via HTTP or HTTPS.
- Authentication can be configured if the feed requires it.
¶ Configuration Steps:
¶ 1. Access SmartConsole:
- Launch SmartConsole and connect to your Security Management Server.
¶ 2. Navigate to Indicators:
- Go to Security Policies > Threat Prevention > Custom Policy Tools > Indicators.
¶ 3. Add New IOC Feed:
- Click on New and select External IOC Feed.
¶ 4. Configure Feed Details:
-
Name: Assign a unique name to the feed.
-
Feed URL: Enter the full URL (starting with http:// or https://) of the external feed.
- To access cybercheck360 List Export section -> Export-LIST
- To access Cybercheck360 EDL Export section -> Export-EDL -
Action: Choose the desired action:
- Prevent: Block traffic matching the indicators.
- Detect: Log traffic matching the indicators without blocking.
- Inactive: Disable the feed. -
Authentication: If required, enter the username and password for the feed.
-
Proxy Settings: Configure if the feed access requires a proxy.
¶ 5. Test Connectivity:
- Use the Test Connectivity option to ensure the feed is reachable and correctly configured.
¶ 6. Save and Install Policy:
- Click OK to save the feed configuration.
- Install the Threat Prevention policy to apply the changes.
¶ Limitations:
¶ Feed Size:
- While Check Point does not specify a strict limit, it's advisable to keep the number of indicators manageable to avoid performance degradation.
¶ Update Interval:
- By default, feeds are fetched every 30 minutes. This interval can be adjusted via the CLI using the ioc_feeds set_interval command.
¶ Memory Usage:
- Before loading more than 2 million patterns, the system checks if at least 50% of the total memory is free to prevent resource exhaustion.
¶ Version Compatibility:
- Some features, like feed authentication and Snort rule integration, require specific versions (e.g., R81.20 or higher).
¶ Official Documentation:
For detailed information and further guidance, refer to the following official Check Point documentation:
-
Importing External Custom Intelligence Feeds in SmartConsole:
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Importing-External-Custom-Intelligence-Feeds-in-SmartConsole.htm -
Custom Intelligence Feeds Feature Overview:
https://support.checkpoint.com/results/sk/sk132193