Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Custom Feed Sources Overview

Policy Enforcer uses threat feeds to provide actionable intelligence to policies about various types of threats. These feeds can come from different sources, such as Juniper ATP Cloud, and from lists that you can customize by adding IP addresses, domains, and URLs.


Juniper ATP Cloud feeds and custom feeds are mutually exclusive. You can only have one source for dynamic address, allowlist, blocklist, infected host feeds, and C&C Server.


When dynamic address custom feeds are available, you cannot use office_365 feeds from Juniper ATP Cloud.

The following types of custom threat feeds are available:

  • A dynamic address is a group of IP addresses that can be imported from external sources. These IP addresses are for specific domains or for entities that have a common attribute such as a particular undesired location that poses a threat. You can then configure security policies to use the dynamic addresses within a security policy.

  • An allowlist contains known trusted IP addresses, URLs, and domains. Content downloaded from locations on the allowlist does not have to be inspected for malware.

  • A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.

  • Infected hosts are hosts known to be compromised. Enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.

  • Using DDoS threat feed, policy Enforcer blocks source IP addresses in the feed, rate limit the traffic from the source IP addresses, and takes BGP Flowspec action to apply null-route filtering or redirect the traffic to scrubbing centers.

  • Command and Control Server (C&C Server) is a centralized computer that issues commands to botnets (compromised networks of computers) and receives reports back from them. Botnets can be used to gather sensitive information, such as account numbers or credit card information, or to participate in a distributed DDoS attack.

For threat management policies to use these feeds, you must enter configuration information for each feed type.

Benefits of Custom Feed Sources

  • Provides relevant and timely intelligence that you can use to create enforcement policies. Enables you to customize threat feeds specific to your industry or organization.

  • Provides flexible mechanisms to synchronize threat information to:

    • Configure Policy Enforcer to poll from local file and remote file custom feeds.

    • Push threat feeds to Policy Enforcer using the Threat Feed API .