Allowlist and Blocklist Overview
An allowlist contains known trusted IP addresses, Hashes, Email addresses, and URLs. Content downloaded from locations on the allowlist does not have to be inspected for malware. A blocklist contains known untrusted IP addresses and URLs. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Benefits of Allowlists and Blocklists
Allowlist allows users to download files from sources that are known to be safe. Allowlist can be added to in order to decrease false positives.
Blocklists prevent users from downloading files from sources that are known to be harmful or suspicious.
The Custom allowlists or custom blocklists allow you to add items manually. Both are configured on the Juniper ATP Cloud cloud server. The priority order is as follows:
If a location is in multiple lists, the first match wins.
Allowlists and blocklists support the following types:
For IP and URL, The Web UI performs basic syntax checks to ensure your entries are valid.
The cloud feed URL for allowlists and blocklists is set up automatically for you when you run the op script to configure your SRX Series device. See Downloading and Running the Juniper Advanced Threat Prevention Cloud Script.
A hash is a unique signature for a file generated by an algorithm. You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running file containing up to 15,000 file hashes. For upload details see Creating Allowlists and Blocklists. Note that Hash lists are slightly different than other list types in that they operate on the cloud side rather than the SRX Series device side. This means the web portal is able to display hits on hash items.
The SRX series device makes requests approximately every two hours for new and updated feed content. If there is nothing new, no new updates are downloaded.
Use the show security dynamic-address instance advanced-anti-malware CLI command to view the IP-based allowlists and blocklists on your SRX Series device. There is no CLI command to show the domain-based or URL-based allowlists and blocklists at this time.
Example show security dynamic-address instance advanced-anti-malware
user@host>show security dynamic-address instance advanced-anti-malware No. IP-start IP-end Feed Address 1 x.x.x.0 x.x.x.10 custom_whitelist ID-80000400 2 x.x.0.0 x.x.0.10 custom_blacklist ID-80000800 Instance advanced-anti-malware Total number of matching entries: 2
If you do not see your updates, wait a few minutes and try the command again. You might be outside the Juniper ATP Cloud polling period.
Once your allowlists or blocklists are created, create an advanced anti-malware policy to log (or don’t log) when attempting to download a file from a site listed in the blocklist or allowlist files. For example, the following creates a policy named aawmpolicy1 and creates log entries.
set services advanced-anti-malware policy aamwpolicy1 blacklist-notification
set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log