To access this page, click Configure>Threat Prevention>Custom Feeds.
You can create custom feeds from the custom feeds page.
Know what type of feed you are configuring and have all the necessary information on hand. Local feeds are created on your local system and uploaded from there.
To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Dynamic Addresses.
For creating an Infected Host custom feed, see Creating Custom Feeds, Infected Host.
For creating a DDoS custom feed, see Creating Custom Feeds, DDoS.
To create local file and remote file custom feeds:
Table 324: Custom Feed Categories
Feed Category | Definition |
---|---|
Dynamic Address | A dynamic address entry provides dynamic IP address information to security policies. A dynamic address is a group of IP addresses, not just a single IP prefix, that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy. You can use custom feeds while configuring the firewall policy. For information on how to create dynamic addresses, see: Creating Dynamic Address Groups. Note: You can create multiple custom feeds for all types of feed categories. |
Whitelist | A whitelist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the whitelist does not have to be inspected for malware. |
Blacklist | A blacklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blacklist is blocked, and therefore no content can be downloaded from those sites. |
Infected Host | Infected hosts are hosts known to be compromised. Enter host IP addresses manually or upload a text file with the IP addresses of infected hosts. See Creating Custom Feeds, Infected Host for configuration details. |
DDoS | Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to blackhole or redirect the traffic to scrubbing centers. See Creating Custom Feeds, DDoS and Creating Threat Prevention Policies. |
Note:
The Remote Download Status field shows the status of downloading feeds from a remote file server to Policy Enforcer. This field will be blank if the locally created custom feeds.
The following statuses are shown under different scenarios:
Pending—Status is shown as pending until Policy Enforcer downloads the new feeds from the remote file server.
Success—Status is shown as success when Policy Enforcer downloads the feeds successfully.
Failed—Status is shown as failed when downloading the feeds fails.
The Days to Become Inactive field shows the number of days within which the custom feed is going to expire or become inactive. You must specify the number of days for each custom feed to be active in the Time to Live (TTL) Settings page. Whenever you make any update to a feed type in the TTL Settings page , number of days to expire is counted from that date. See Configuring TTL Settings for Custom Feeds.
Once the Days to Become Inactive field is zero, the respective feed will become inactive and cannot be used. You must update the feed again to make it active.
Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 238 for details.
Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 239.
Note: To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Dynamic Addresses.
If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Custom Feeds page. You must first delete the firewall policy rule and then , delete the dynamic address from the Custom Feeds page.
Use the fields in Table 238 to add custom feeds.
Table 325: Fields on the Custom Feeds Page, Feeds with Local Files
Field | Description |
---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following:
Note: For Dynamic Address, you can only select IP, Subnet, and Range. For Blacklists and Whitelists, all feed types are available for selection. |
Sites | Select the required sites from the list to associate them with the dynamic address or whitelists and blacklists feeds. In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. The same site can be shared across dynamic address, whitelists, and blacklists feeds. |
Realms | Select the required realms from the list, if you are in Cloud feeds only, Sky ATP, or Sky ATP with SDSN mode. Associate these realms with dynamic address or whitelists and blacklists feeds. The same realm can be shared across dynamic address, whitelists and blacklists feeds. When you are creating a Sky ATP realm, if you do not assign any sites to it, those realms are not listed here. Only realms with sites associated are listed here. |
Custom List | Do one of the following:
|
Table 326: Fields on the Custom Feeds Page, Feeds with Remote File Server
Field | Description |
---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following:
|
Type of Server URL | Select one of the following:
|
Server File URL | Enter the URL for the remote file server. |
Certificate Upload | Click Browse and select the CA certificate to upload. If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate. |
Username | Enter the credentials for the remote file server. This is not a mandatory field. You can still proceed to create a custom feed without entering the username. |
Password | Enter the credentials for the remote file server. This is a mandatory field, if you have provided the username. |
Update Interval | Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never |