Use the Create Custom Feed page to configure the Dynamic Address, Whitelist, Blacklist, Infected Hosts, and DDoS custom feeds. These feeds provide relevant and timely intelligence that you can use to create enforcement policies.
Know what type of feed you are configuring and have all the necessary information on hand. Local feeds are created on your local system and uploaded from there.
Note that infected hosts are hosts known to be compromised. For an infected host custom feed, enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.
If you create a whitelist, blacklist, or infected hosts feed, it will override the respective Sky ATP feed.
Note that when Sky ATP only mode is selected as the Threat Prevention Type, the infected host and DDoS custom feeds are not available.
To create local file and remote file custom feeds:
The Feed Sources page appears. You will see only custom feeds available as the threat prevention type, if you make no selection for Sky ATP Configuration Type in the Policy Enforcer Settings page.
Feeds with local files—Enter your data manually into the provided fields or upload from a text file on your location machine.
Feeds with remote file server—Configure communication with the remote server to fetch the data feed from it.
Note
To use a custom feed, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show only the custom feeds.
If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Feed Sources page. You must first delete the firewall policy rule and then , delete the dynamic address from the Feed Sources page.
When you have no Sky ATP Configuration Type selected (No selection), Sky ATP realms are disabled. Because site selection is usually done from the Sky ATP realm page, you must select sites from the Create Custom Feed page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection available in the Create Custom Feed page.
Table 319: Fields on the Create Custom Feed Page, Feeds with Local Files
Field | Description |
|---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following custom feeds as a threat prevention type:
|
Sites | Select the required sites from the list to associate them with the dynamic address or whitelists and blacklists feeds. In the default mode (no Sky ATP), only sites are listed because of no Sky ATP. You can share a site across the same feed type for dynamic address, whitelist, and blacklist. For Infected hosts and DDoS, sites cannot be shared across the same feed type. However, you can share a site across different feed types. |
Realms | Select the required realms from the list, if you are in Cloud feeds only, Sky ATP, or Sky ATP with SDSN mode. Associate these realms with dynamic address or whitelists and blacklists feeds. You can share a realm across the same feed type for dynamic address, whitelist, and blacklist. For Infected hosts and DDoS, reamls cannot be shared across the same feed type. However, you can share a realm across different feed types. The Sky ATP realm without any assigned sites are not listed here. Only realms with sites associated are listed here. |
User Input Type (Available for Whitelist and Blacklist) | Select one of the following input types for Whitelist and Blacklist:
|
Custom List | Do one of the following:
|
Table 320: Fields on the Create Custom Feed Page, Feeds with Remote File Server
Field | Description |
|---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following custom feeds as a threat prevention type:
|
Type of Server URL | Select one of the following:
|
Server File URL | Enter the URL for the remote file server. |
Certificate Upload (If the URL type is HTTPS) | Click Browse and select the CA certificate to upload. If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate. |
Username | Enter the credentials for the remote file server. This is not a mandatory field. You can still proceed to create a custom feed without entering the username. |
Password | Enter the credentials for the remote file server. This is a mandatory field, if you have provided the username. |
Update Interval | Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never |
Sites | Select the required sites from the list to associate them with the custom feeds. |
If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to Sky ATP UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.
© 2018 Juniper Networks, Inc. All rights reserved