Check Point Guide

Use this guide to integrate Cybora with Check Point using External IoC feeds in SmartConsole. This native workflow lets the Security Gateway fetch observables directly from your feed URL and enforce them through Threat Prevention.

What Check Point can do with a Cybora feed

  • Check Point can import external feeds containing IPs, domains, URLs, and other supported observables.
  • The imported feed can be enforced through the Threat Prevention engines documented by Check Point.
  • You can run the feed in detect mode first or switch directly to prevent mode for active blocking.
  • Gateways fetch external feeds on a recurring interval and enforce updates automatically after the feed is in place.

Before you start

  • Use Security Gateways on R81 or later for external IoC feeds added in SmartConsole.
  • Make sure Threat Prevention is enabled and that indicator scanning is activated in the applicable profile before you create the feed.
  • Ensure that the relevant gateways can reach the Cybora feed URL over HTTP or HTTPS.
  • Decide whether you want an initial detect-only rollout or direct prevention.

Create the external IoC feed

  1. In SmartConsole, go to Security Policies > Threat Prevention > Custom Policy > Custom Policy Tools > Indicators.
  2. Click New and select New IoC Feed or External IoC Feed, depending on the release.
  3. Enter a clear object name.
  4. Set the action. Detect is useful for an initial validation phase. Prevent is the better choice when you want the feed to actively block matching indicators from the start.
  5. Paste the full Cybora feed URL into Feed URL.
  6. Select the feed format that matches your feed and your Check Point parsing workflow.
  7. Configure authentication only if your feed requires it.
  8. Use Test Feed or Test Connectivity with an applicable gateway to confirm that the gateway can reach the feed.
  9. Save the object and install the Threat Prevention Policy.

Refresh behavior and policy use

  • Check Point documents that gateways fetch configured external feeds every 30 minutes by default.
  • You can change the fetching interval in Manage & Settings > Blades > Threat Prevention > Advanced Settings > External Feed.
  • Set the interval so it stays within your Cybora plan. Only one request is permitted within the allowed interval, and excessive polling may cause the feed to be blocked.
  • After the feed is configured, gateways enforce updates immediately without needing another Threat Prevention Policy install for each feed refresh.

Validation

  1. Confirm that the feed test succeeds from the intended gateway.
  2. Verify that indicator scanning is enabled in the applicable Threat Prevention profile.
  3. Review Threat Prevention logs to confirm detect or prevent actions on matching observables.
  4. If a gateway cannot retrieve the feed, review the control logs and connectivity path to the feed URL.

Further reading

Back to Home