To access this page, click Configure>Threat Prevention>Custom Feeds.
Note that infected hosts are hosts known to be compromised. For an infected host custom feed, enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.
If you create a custom infected hosts feed, it will override the SKY ATP infected hosts feed.
To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show custom feed types, including infected hosts.
Note that when Sky ATP only mode is selected as the Threat Prevention Type, the infected host custom feed is not available.
For creating other custom feed types, see Creating Custom Feeds: Dynamic Address, Whitelist and Blacklist.
Note: When you have no Sky ATP Configuration Type selected (No selection), Sky ATP realms are disabled. Because site selection is usually done from the Sky ATP realm page, you must select sites from the Custom Feed - Infected Hosts page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection is available in the Custom Feeds - Infected Hosts page.
To create local file and remote file custom feeds:
Note: When Sky ATP only is selected as the Threat Prevention Type, the infected host custom feed is not available.
Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 236 for details.
Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 237.
Note: To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Infected Hosts, Dynamic Addresses, Whitelists and Blacklists.
Use the fields in Table 236 to add custom feeds.
Table 325: Fields on the Custom Feeds Page, Feeds with Local Files
Field | Description |
|---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum. |
Description | Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators. |
Sites | Select the required sites from the list to associate them with the infected feeds. In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. You cannot share the same site across the same feed type. However, you can share a site across different feed types. |
Realms | Select the required realms from the list, if you are in Cloud feeds only, or SDSN with Sky ATP only mode and associate them with dynamic address or whitelists and blacklists feeds. You cannot share the same realm across the same feed type. However, you can share a realm across different feed types. When you are creating a Sky ATP realm, if you do not assign any sites it, those realms are not listed here. Only realms with sites associated are listed here. |
Custom List | Do one of the following:
|
Table 326: Fields on the Custom Feeds Page, Feeds with Remote File Server
Field | Description |
|---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include colons, periods, dashes, and underscores; no spaces allowed; 63-character maximum. |
Description | Enter a description for your custom feed; maximum length is 1,024 characters. You should make this description as useful as possible for all administrators. |
Type of Server URL | Select one of the following:
|
Server File URL | Enter the URL for the remote file server. |
Certificate Upload | Click Browse and select the CA certificate to upload. If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate. |
Username | Enter the credentials for the remote file server. |
Password | Enter the credentials for the remote file server. |
Update Interval | Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never |
You can create only a single infected host. If you want to create one more infected host, you must first delete the existing feed and create a new one.
If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to Sky ATP UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.
© 2018 Juniper Networks, Inc. All rights reserved