Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Creating Custom Feeds, Infected Host

To access this page, click Configure>Threat Prevention>Custom Feeds.

Before You Begin

Note: When you have no Sky ATP Configuration Type selected (No selection), Sky ATP realms are disabled. Because site selection is usually done from the Sky ATP realm page, you must select sites from the Custom Feed - Infected Hosts page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection is available in the Custom Feeds - Infected Hosts page.

Procedure

To create local file and remote file custom feeds:

  1. Select Configure>Threat Prevention>Custom Feeds.
  2. Select the Infected Host tab.

    Note: When Sky ATP only is selected as the Threat Prevention Type, the infected host custom feed is not available.

  3. Click Create and select one of the following:
    • Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 236 for details.

    • Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 237.

  4. Complete the configuration by using the guidelines inTable 236 or Table 237.
  5. Click OK. Your entry is added to custom list displayed at the bottom of the page.

Note: To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Infected Hosts, Dynamic Addresses, Whitelists and Blacklists.

Use the fields in Table 236 to add custom feeds.

Table 325: Fields on the Custom Feeds Page, Feeds with Local Files

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

Description

Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.

Sites

Select the required sites from the list to associate them with the infected feeds.

In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. You cannot share the same site across the same feed type. However, you can share a site across different feed types.

Realms

Select the required realms from the list, if you are in Cloud feeds only, or SDSN with Sky ATP only mode and associate them with dynamic address or whitelists and blacklists feeds.

You cannot share the same realm across the same feed type. However, you can share a realm across different feed types.

When you are creating a Sky ATP realm, if you do not assign any sites it, those realms are not listed here. Only realms with sites associated are listed here.

Custom List

Do one of the following:

  • Click Upload File to upload a text file with an IP address list. The uploading file must have the string add at the beginning, followed by the IP addresses. If you want to delete certain IP addresses, enter the string delete followed by the IP addresses to delete.

    Click the Add button to include the address list in your custom list.

    Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list.

  • Manually enter your item in the space provided in the Custom List section. To add more items, click + to add more spaces.

    For syntax, enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Table 326: Fields on the Custom Feeds Page, Feeds with Remote File Server

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum.

Description

Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators.

Type of Server URL

Select one of the following:

  • http

  • https

Server File URL

Enter the URL for the remote file server.

Certificate Upload

Click Browse and select the CA certificate to upload.

If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.

Username

Enter the credentials for the remote file server.

Password

Enter the credentials for the remote file server.

Update Interval

Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

You can create only a single infected host. If you want to create one more infected host, you must first delete the existing feed and create a new one.

If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to Sky ATP UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit