Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Allowlists and Blocklists

 

Access these pages from Configure > Allowlists or Blocklists.

Use these pages to configure custom trusted and untrusted lists. You can also upload hash files.

Content downloaded from locations on the allowlist is trusted and does not have to be inspected for malware. Hosts cannot download content from locations on the blocklist, because those locations are untrusted.

  • Read the Allowlist and Blocklist Overview topic.

  • Decide on the type of item you intend to define: URL, IP, Hash, Domain

  • Review current list entries to ensure the item you are adding does not already exist.

  • If you are uploading hash files, the files must be in a text file with each hash on its own single line.

To create Juniper ATP Cloud allowlists and blocklists:

  1. Select Configuration > Allowlists or Blocklists.
  2. For either Allowlist or Blocklist, select one of the following tabs: IP , URL, Hash File, Email Sender, C&C Server, or Encrypted Traffic and enter the required information. See the tables below.Note

    Encrypted Traffic option is available only under Allowlists menu.

  3. Click OK.

Refer to the following tables for the data required by each tab.

IP

When you create a new IP list item, you must choose the Type of list: IP. You can do this by selecting the type in the navigation pane or by choosing it from a pulldown list in the Create window. Depending on the type, you must enter the required information. See the following table.

Table 1: IP and URL Configuration

Setting

Guideline

IP

Enter the IPv4 or IPv6 IP address. For example: 1.2.3.4 or 0:0:0:0:0:FFFF:0102:0304. CIDR notation and IP address ranges are also accepted.

Any of the following IPv4 formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Any of the following IPv6 formats are valid: 1111::1, 1111::1-1111::9, or 1111:1::0/64.

Note: Address ranges: No more than a block of /16 IPv4 addresses and /48 IPv6 addresses are accepted. For example, 10.0.0.0-10.0.255.255 is valid, but 10.0.0.0-10.1.0.0 is not.

Bitmasks: The maximum amount of IP addresses covered by bitmask in a subnet record for IPv4 is 16 and for IPv6 is 48. For example, 10.0.0.0/15 and 1234::/47 are not valid.

Note: To edit an existing allowlist or blocklist URL entry, select the check box next to the entry you want to edit and click the pencil icon.

URL

When you create a new URL list item, you must choose the Type of list: URL. You can do this by selecting the type in the navigation pane or by choosing it from a pulldown list in the Create window. Depending on the type, you must enter the required information. See the following table.

Table 2: URL Configuration

Setting

Guideline

URL

Enter the URL using the following format: juniper.net. Wildcards and protocols are not valid entries. The system automatically adds a wildcard to the beginning and end of URLs. Therefore juniper.net also matches a.juniper.net, a.b.juniper.net, and a.juniper.net/abc. If you explicitly enter a.juniper.net, it matches b.a.juniper.net, but not c.juniper.net. You can enter a specific path. If you enter juniper.net/abc, it matches x.juniper.net/abc, but not x.juniper.net/123.

Note: To edit an existing allowlist or blocklist URL entry, select the check box next to the entry you want to edit and click the pencil icon.

Hash File

When you upload a hash file, it must be in a text file with each hash on its own single line. You can only have one running hash file. To add to it or edit it, see the instructions in the following table.

Table 3: Hash File Upload and Edit

Field

Guideline

You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running hash file containing up to 15,000 file hashes. This is the “current” list, but you can add to it, edit it, and delete it at any time.

SHA-256 Hash Item

To add to hash entries, you can upload several text files and they will automatically combine into one file. See all, merge, delete and replace options below.

Download—Click this button to download the text file if you want to view or edit it.

You have the following options from the pulldown:

  • Replace current list—Use this option when you want to change the existing list, but do not want to delete it entirely. Download the existing file, edit it, and then upload it again.

  • Merge with current list—Use this option when you upload a new text file and want it to combine with the existing text file. The hashes in both files combine to form one text file containing all hashes.

  • Delete from current list—Use this option when you want to delete only a portion of the current list. In this case, you would create a text file containing only the hashes you want to remove from the current list. Upload the file using this option and only the hashes in the uploaded file are deleted from the current active list.

Delete All or Delete Selected—Sometimes it’s more efficient to delete the current list rather than downloading it and editing it. Click this button to delete the current selected list or all lists that have been added and accumulated here.

Source

This says either Allowlist or Blocklist.

Date Added

The month, date, year, and time when the hash file was last uploaded or edited.

Email Sender

Add email addresses to be allowlisted or blocklisted if found in either the sender or recipient of an email communication. Add addresses one at a time using the + icon.

Table 4: Email Sender

Field

Guideline

Email address

Enter an email address in the format name@domain.com. Wildcards and partial matches are not supported, but if you want to include an entire domain, you could enter only the domain as follows: domain.com

If an email matches the blocklist, it is considered to be malicious and is handled the same way as an email with a malicious attachment. The email is blocked and a replacement email is sent. If an email matches the allowlist, that email is allowed through without any scanning. See SMTP Quarantine Overview: Blocked Emails.

It is worth noting that attackers can easily fake the “From” email address of an email, making blocklists a less effective way to stop malicious emails.

C&C Server

When you allowlist a C&C server, the IP or hostname is sent to the SRX Series devices to be excluded from any security intelligence blocklists or C&C feeds (both Juniper’s global threat feed and third party feeds). The server will also now be listed under the C&C allowlist management page.

You can enter C&C server data manually or upload a list of servers. That list must be a text file with each IP or Domain on its own single line. The text file must include all IPs or all Domains, each in their own file. You can upload multiple files, one at a time.

Note

You can also manage allowlist and blocklist entries using the Threat Intelligence API. When adding entries to the allowlist/blocklist data, these will be available in the Threat Intelligence API under the following feed names: “whitelist_domain” or “whitelist_ip”, and “blacklist_domain” or “blacklist_ip.” See the Juniper ATP Cloud Threat Intelligence Open API Setup Guide   for details on using the API to manage any custom feeds.

Table 5: C&C Server

Field

Guideline

Type

Select IP to enter the IP address of a C&C server that you want to add to the allowlist. Select Domain to allowlist an entire domain on the C&C server list.

IP or Domain

For IP, enter an IPv4 or IPv6 address. An IP can be IP address, IP range or IP subnet. For domain, use the following syntax: juniper.net. Wildcards are not supported.

Description

Enter a description that indicates why an item has been added to the list.

You can also allowlist C&C servers directly from the C&C Monitoring page details view. See Command and Control Server Details.

Warning: Adding a C&C server to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the whiltelisted C&C server. All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur.

If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after C&C server 1.2.3.4 was cleared.”) Additionally, the server will no longer appear in the list of C&C servers because it has been cleared.

Encrypted Traffic

You can specify the IP address or domain names that you want to allowlist from encrypted traffic analysis. Use this tab to add, modify, or delete the allowlists for encrypted traffic analysis.

Table 6: Encrypted Traffic

Field

Guideline

Type

Select whether you want to specify the IP address or domain name for the allowlist.

IP or Domain

Enter the IP address or domain name for the allowlist.

Note

Juniper ATP Cloud periodically polls for new and updated content and automatically downloads it to your SRX Series device. There is no need to manually push your allowlist or blocklist files.

Use the show security dynamic-address instance advanced-anti-malware command to view the custom allowlist and blocklist on SRX Series devices.

Example: show security dynamic-address instance advanced-anti-malware