Help Center User GuideGetting StartedFAQsRelease Notes
 
X
User Guide
Getting Started
FAQs
Release Notes
Contents  

Creating Custom Feeds: Dynamic Address, Whitelist and Blacklist

To access this page, click Configure>Threat Prevention>Custom Feeds.

You can create custom feeds from the custom feeds page.

Before You Begin

Procedure

To create local file and remote file custom feeds:

  1. Select Configure>Threat Prevention>Custom Feeds.
  2. Select one of the following feed types.

    Table 324: Custom Feed Categories

    Feed Category

    Definition

    Dynamic Address

    A dynamic address entry provides dynamic IP address information to security policies. A dynamic address is a group of IP addresses, not just a single IP prefix, that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.

    You can use custom feeds while configuring the firewall policy. For information on how to create dynamic addresses, see: Creating Dynamic Address Groups.

    Note: You can create multiple custom feeds for all types of feed categories.

    Whitelist

    A whitelist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the whitelist does not have to be inspected for malware.

    Blacklist

    A blacklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blacklist is blocked, and therefore no content can be downloaded from those sites.

    Infected Host

    Infected hosts are hosts known to be compromised. Enter host IP addresses manually or upload a text file with the IP addresses of infected hosts. See Creating Custom Feeds, Infected Host for configuration details.

    DDoS

    Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to blackhole or redirect the traffic to scrubbing centers. See Creating Custom Feeds, DDoS and Creating Threat Prevention Policies.

    Note:

    • The Remote Download Status field shows the status of downloading feeds from a remote file server to Policy Enforcer. This field will be blank if the locally created custom feeds.

      The following statuses are shown under different scenarios:

      • Pending—Status is shown as pending until Policy Enforcer downloads the new feeds from the remote file server.

      • Success—Status is shown as success when Policy Enforcer downloads the feeds successfully.

      • Failed—Status is shown as failed when downloading the feeds fails.

    • The Days to Become Inactive field shows the number of days within which the custom feed is going to expire or become inactive. You must specify the number of days for each custom feed to be active in the Time to Live (TTL) Settings page. Whenever you make any update to a feed type in the TTL Settings page , number of days to expire is counted from that date. See Configuring TTL Settings for Custom Feeds.

      Once the Days to Become Inactive field is zero, the respective feed will become inactive and cannot be used. You must update the feed again to make it active.

  3. Click Create and select one of the following:
    • Feeds with local files—This is data you enter manually into the provided fields or upload from a text file on your location machine. See Table 238 for details.

    • Feeds with remote file server—This is a data feed from a remote server. Configure communication with the remote server using instructions in Table 239.

  4. Complete the configuration by using the guidelines inTable 238 or Table 239.
  5. Click OK. Your entry is added to custom list displayed at the bottom of the page.

Note: To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show Dynamic Addresses.

If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Custom Feeds page. You must first delete the firewall policy rule and then , delete the dynamic address from the Custom Feeds page.

Use the fields in Table 238 to add custom feeds.

Table 325: Fields on the Custom Feeds Page, Feeds with Local Files

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following:

  • IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

  • URL and Domain—Enter the URL using the following format: http://yourfeed.com/abc and Domain using the following format: http://yourfeed.com. Wildcards and protocols are not valid entries.

Note: For Dynamic Address, you can only select IP, Subnet, and Range. For Blacklists and Whitelists, all feed types are available for selection.

Sites

Select the required sites from the list to associate them with the dynamic address or whitelists and blacklists feeds.

In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. The same site can be shared across dynamic address, whitelists, and blacklists feeds.

Realms

Select the required realms from the list, if you are in Cloud feeds only, Sky ATP, or Sky ATP with SDSN mode.

Associate these realms with dynamic address or whitelists and blacklists feeds. The same realm can be shared across dynamic address, whitelists and blacklists feeds.

When you are creating a Sky ATP realm, if you do not assign any sites to it, those realms are not listed here. Only realms with sites associated are listed here.

Custom List

Do one of the following:

  • Click Upload File to upload a text file with an IP address list. Click the Add button to include the address list in your custom list.

    Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list.

    The file must not contain more than 500 entries. An error message is shown if you try to upload a file containing more than 500 IP addresses. Use the Feeds with remote file server option to upload a file containing more than 500 IP addresses.

  • Manually enter your item in the space provided in the Custom List section. To add more items, click + to add more spaces.

Table 326: Fields on the Custom Feeds Page, Feeds with Remote File Server

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following:

  • IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

  • URL and Domain—Enter the URL using the following format: http://yourfeed.com/abc and Domain using the following format: http://yourfeed.com. Wildcards and protocols are not valid entries.

    Note: For Dynamic Address, you can only enter IP, Subnet, and Range. For Blacklists and Whitelists, all feed types are available for selection.

Type of Server URL

Select one of the following:

  • http

  • https

Server File URL

Enter the URL for the remote file server.

Certificate Upload

Click Browse and select the CA certificate to upload.

If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.

Username

Enter the credentials for the remote file server.

This is not a mandatory field. You can still proceed to create a custom feed without entering the username.

Password

Enter the credentials for the remote file server.

This is a mandatory field, if you have provided the username.

Update Interval

Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit