Example: Creating a Dynamic Address Custom Feed and Firewall Policy

As stated earlier, dynamic addresses provide dynamic IP address information to security policies. A dynamic address entry (DAE) is a group of IP addresses, not just a single IP prefix, that can be entered manually or imported from external sources. The DAE feature allows feed-based IP objects to be used in security policies to either deny or allow traffic based on either source or destination IP criteria. For example, a DAE may contain IP addresses for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. When the DAE is updated, the changes automatically become part of the security policy. There is no need to manually update the policy; no configuration commit action is required.

Procedure

This topic steps you through a simple example of creating a DAE and associating it with a policy. For complete information in creating firewall policies in Security Director, see Creating Firewall Policies.

  1. Click Configure>Threat Prevention>Feed Sources.

    The Feed Sources page appears.

  2. In the Custom Feeds tab, click Create > Feeds with local files.
  3. Enter DAE_example1 as the name.
  4. Select Dynamic Address from the Feed Type list.
  5. Select the Sky ATP realms from the Realms field.
  6. In the Custom List field, click the plus sign (+) to add individual entries to the custom list.
  7. Add the following IP addresses. See the online help for information on supported formats.
  8. Make sure all entries in the custom list are unchecked and click OK.
  9. Click Configure > Firewall Policy > Policies.

    Note This is example uses simplistic rules to show how to associate a DAE with an allowlist firewall policy. When creating your own firewall policy, you will have to configure the rules that meet your company’s requirements.

  10. Click the plus sign (+) to create a new firewall policy.
  11. Enter dynamic_address_test as the name.
  12. Select All Logging Enabled from the Profile pull-down menu.
  13. Select Device Policy as the Type and select a device from the Device pull-down menu.
  14. Click OK.

    After a few seconds, the dynamic_address_test policy appears in the list.

  15. Click Add Rule next to the dynamic_address_test policy to start the rule wizard.
  16. Enter dynamic_rule as the name and click Next.
  17. In the Source window, select untrust from the Zone pulldown menu and click Select under the Address(es) field.
  18. In the Source Address window, select the Include Specific radio button.
  19. Select DAE_example1 in the left table and click the right arrow to move it to the right table. Then click Next.

    The Source window reappears and DAE_example1 appears in the address(es) field.

  20. In the Destionation window, select trust from the Zone pulldown menu and click Next.
  21. In the Advanced Security window, select permit from the Rule Action pulldown menu and click Next.
  22. In the Rule Options window, click Next to use the default settings.
  23. Click Select in the Address(es) section and click the Include Specifics radio button.
  24. In the Rule Analysis window, select the Analyze the new rule to suggest a placement to avoid anomalies checkbox and click Next.

    After a few seconds, an analysis of your rule appears, including where it should be placed, etc.

  25. Click Finish and then OK to exit the wizard.
  26. In the resulting page, click Save (located near the top of the window.)
  27. Check the checkbox for the dynamic_rule policy and click Publish.

    When you publish rules, the process takes into account the priority and precedence values set on the policy and the order of rules on the device.