Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Creating Custom Feeds

Use the Create Custom Feed page to configure the Dynamic Address, Whitelist, Blacklist, Infected Hosts, and DDoS custom feeds. These feeds provide relevant and timely intelligence that you can use to create enforcement policies.

Before You Begin

Procedure

To create local file and remote file custom feeds:

  1. Select Configure>Threat Prevention> Feed Sources.

    The Feed Sources page appears. You will see only custom feeds available as the threat prevention type, if you make no selection for Sky ATP Configuration Type in the Policy Enforcer Settings page.

  2. Click Create and select one of the following:
    • Feeds with local files—Enter your data manually into the provided fields or upload from a text file on your location machine.

    • Feeds with remote file server—Configure communication with the remote server to fetch the data feed from it.

  3. Complete the configuration by using the guidelines in Table 245 or Table 246.
  4. Click OK.

Note 

  • To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show only the custom feeds.

    If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Feed Sources page. You must first delete the firewall policy rule and then , delete the dynamic address from the Feed Sources page.

  • When you have no Sky ATP Configuration Type selected (No selection), Sky ATP realms are disabled. Because site selection is usually done from the Sky ATP realm page, you must select sites from the Create Custom Feed page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection available in the Create Custom Feed page.

Table 319: Fields on the Create Custom Feed Page, Feeds with Local Files

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following custom feeds as a threat prevention type:

  • Dynamic Address

  • Whitelist

  • Blacklist

  • Infected Hosts

  • DDoS

Sites

Select the required sites from the list to associate them with the dynamic address or whitelists and blacklists feeds.

In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. You can share a site across the same feed type for dynamic address, whitelist, and blacklist. For Infected hosts and DDoS, sites cannot be shared across the same feed type. However, you can share a site across different feed types.

Realms

Select the required realms from the list, if you are in Cloud feeds only, Sky ATP, or Sky ATP with SDSN mode.

Associate these realms with dynamic address or whitelists and blacklists feeds. You can share a realm across the same feed type for dynamic address, whitelist, and blacklist. For Infected hosts and DDoS, reamls cannot be shared across the same feed type. However, you can share a realm across different feed types.

The Sky ATP realm without any assigned sites are not listed here. Only realms with sites associated are listed here.

User Input Type

(Available for Whitelist and Blacklist)

Select one of the following input types for Whitelist and Blacklist:

  • IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

  • URL and Domain—Enter the URL using the following format: http://yourfeed.com/abc and Domain using the following format: http://yourfeed.com.

    Wildcards and protocols are not valid entries.

Custom List

Do one of the following:

  • Click Upload File to upload a text file with an IP address list. Click the Add button to include the address list in your custom list.

    For infected host and DDoS, the uploading file must have the string add at the beginning, followed by the IP addresses. If you want to delete certain IP addresses, enter the string delete followed by the IP addresses to delete.

    Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list.

    The file must not contain more than 500 entries. An error message is shown if you try to upload a file containing more than 500 IP addresses. Use the Feeds with remote file server option to upload a file containing more than 500 IP addresses.

  • Manually enter your item in the space provided in the Custom List section. To add more items, click + to add more spaces.

    For syntax, enter an IPv4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Table 320: Fields on the Create Custom Feed Page, Feeds with Remote File Server

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following custom feeds as a threat prevention type:

  • Dynamic Address

  • Whitelist

  • Blacklist

  • Infected Hosts

  • DDoS

Type of Server URL

Select one of the following:

  • http

  • https

Server File URL

Enter the URL for the remote file server.

Certificate Upload

(If the URL type is HTTPS)

Click Browse and select the CA certificate to upload.

If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.

Username

Enter the credentials for the remote file server.

This is not a mandatory field. You can still proceed to create a custom feed without entering the username.

Password

Enter the credentials for the remote file server.

This is a mandatory field, if you have provided the username.

Update Interval

Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

Sites

Select the required sites from the list to associate them with the custom feeds.

If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to Sky ATP UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit