Creating Custom Feeds, Dynamic, Black and White

To access this page, click Configure>Threat Prevention>Custom Feeds.

You can create customs feeds from the custom feeds page.

Know what type of feed you are configuring and have all the necessary information on hand. For example, for custom feeds from a file server, you must have the file server URL and a valid user name and password for the file server. Local feeds are created on your local system and uploaded from there.
To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Dynamic Addresses.
For creating an Infected Host custom feed, see Creating Custom Feeds, Infected Host.

To create local file and remote file custom feeds:

Select Configure>Threat Prevention>Custom Feeds.

Select one of the following feed types.

Table 1: Custom Feed Categories

Feed Category	Definition
Dynamic Address	A dynamic address entry provides dynamic IP address information to security policies. A dynamic address is a group of IP addresses, not just a single IP prefix, that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy. You can use custom feeds while configuring the firewall policy. For information on how to create dynamic addresses, see: Creating Dynamic Address Groups. Note: You can create multiple custom feeds for all types of feed categories.
Allowlist	An Allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.
Blocklist	A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Infected Host	Infected hosts are hosts known to be compromised. Enter host IP addresses manually or upload a text file with the IP addresses of infected hosts. See Creating Custom Feeds, Infected Host for configuration details.
DDoS	Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to blackhole or redirect the traffic to scrubbing centers. See Creating Custom Feeds, DDoS and Creating Threat Prevention Policies.

Note

The Days to Become Inactive field shows the number of days within which the custom feed is going to expire or become inactive. Every feed is active for 30 days. It is calculated from the last updated date. Whenever you make any update to a feed, 30 days is counted from that date.

Once the Days to Become Inactive field is zero, the respective feed will become inactive and cannot be used. You must update the feed again to make it active.

Click Create and select one of the following:
- Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 2 for details.
- Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 3.
Complete the configuration by using the guidelines inTable 2 or Table 3.
Click OK. Your entry is added to custom list displayed at the bottom of the page.

Note

To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Dynamic Addresses.

Use the fields in Table 2 to add custom feeds.

Table 2: Fields on the Custom Feeds Page, Feeds with Local Files

Field	Description
Name	Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.
Description	Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.
Feed Type	Select one of the following: IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6. URL and Domain—Enter the URL using the following format: http://yourfeed.com/abc and Domain using the following format: http://yourfeed.com. Wildcards and protocols are not valid entries. Note: For Dynamic Address, you can only select IP, Subnet, and Range. For Blocklists and Allowlist, all feed types are available for selection.
Sites	Select the required sites from the list to associate them with the dynamic address or allowlists and blocklists feeds. In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. Only for Dynamic Address feeds, you can share the same site across other Dynamic Address feeds and also across different feeds. For allowlist and blocklist feeds, you cannot share the same site across the same feed type. However, you can share the same site across different feed types.
Realms	Select the required realms from the list, if you are in Sky ATP only, Cloud feeds only, or SDSN with Sky ATP only mode and associate them with dynamic address or allowlists and blocklists feeds. Only for Dynamic Address feeds, you can share the same realm within the same feed and also across different feeds. For allowlist and blocklist feeds, you cannot share the same realm across the same feed type. However, you can share the same realm across different feed types. When you are creating a Sky ATP realm, if you do not assign any sites to it, those realms are not listed here. Only realms with sites associated are listed here.
Custom List	Do one of the following: Click Upload File to upload a text file with an IP address list. Click the Add button to include the address list in your custom list. Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list. The file must not contain more than 500 entries. An error message is shown if you try to upload a file containing more than 500 IP addresses. Use the Feeds with remote file server option to upload a file containing more than 500 IP addresses. Manually enter your item in the space provided in the Custom List section. To add more items, click + to add more spaces.

Table 3: Fields on the Custom Feeds Page, Feeds with Remote File Server

Field	Description
Name	Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.
Description	Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.
Feed Type	Select one of the following: IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6. URL and Domain—Enter the URL using the following format: http://yourfeed.com/abc and Domain using the following format: http://yourfeed.com. Wildcards and protocols are not valid entries. Note: For Dynamic Address, you can only enter IP, Subnet, and Range. For Blocklists and Allowlist, all feed types are available for selection.
Type of Server URL	Select one of the following: http https
Server File URL	Enter the URL for the remote file server.
Certificate Upload	Click Browse and select the CA certificate to upload. If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.
Username	Enter the credentials for the remote file server. This is not a mandatory field. You can still proceed to create a custom feed without entering the username.
Password	Enter the credentials for the remote file server. This is a mandatory field, if you have provided the username.
Update Interval	Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

Creating Custom Feeds, Dynamic, Black and White

Related Documentation