Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating Custom Feeds

Use the Create Custom Feed page to configure the Dynamic Address, Allowlist, Blocklist, Infected Hosts, DDoS, and C&C Server custom feeds. These feeds provide relevant and timely intelligence that you can use to create enforcement policies.

Before You Begin

  • Know what type of feed you are configuring and have all the necessary information on hand. Local feeds are created on your local system and uploaded from there.

  • Note that infected hosts are hosts known to be compromised. For an infected host custom feed, enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.

  • If you create an allowlist, blocklist, or infected hosts feed, it will override the respective Juniper ATP Cloud/ATP Appliance feed.

  • Note that when ATP Cloud/ATP Appliance only mode is selected as the Threat Prevention Type, the infected host and DDoS custom feeds are not available.

To create local file and remote file custom feeds:

  1. Select Configure>Threat Prevention> Feed Sources.

    The Feed Sources page appears. You will see only custom feeds available as the threat prevention type, if you make no selection for ATP Cloud/ATP Appliance Configuration Type in the Policy Enforcer Settings page.

  2. Click Create and select one of the following:
    • Feeds with local files—Enter your data manually into the provided fields or upload from a text file on your location machine.

    • Feeds with remote file server—Configure communication with the remote server to fetch the data feed from it.

  3. Complete the configuration by using the guidelines in Table 1 or Table 2.
  4. Click OK.
Note:
  • To use a custom feed of dynamic-address type, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show only the custom feeds.

    If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Feed Sources page. You must first delete the firewall policy rule and then , delete the dynamic address from the Feed Sources page.

  • When you have no ATP Cloud/ATP Appliance Configuration Type selected (No selection), ATP Cloud/ATP Appliance realms are disabled. Because site selection is usually done from the ATP Cloud/ATP Appliance realm page, you must select sites from the Create Custom Feed page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection available in the Create Custom Feed page.

Table 1: Fields on the Create Custom Feed Page, Feeds with Local Files

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following custom feeds as a threat prevention type:

  • Dynamic Address

  • Allowlist

  • Blocklist

  • Infected Hosts

  • DDoS

  • CC

Sites

Select the required sites from the list to associate them with the dynamic address or allowlists, blocklists, or C&C Server feeds.

In the default mode (no ATP Cloud), only sites are listed because of no ATP Cloud. You can share a site across the same feed type for dynamic address, allowlist, blocklist, and C&C Server. For Infected hosts and DDoS, sites cannot be shared across the same feed type. However, you can share a site across different feed types.

Zones/Realms

Select the required realms from the list, if you are in Cloud feeds only, ATP Cloud/JATP, or ATP Cloud/ATP Appliance with Juniper Connected Security mode.

Associate these realms with dynamic address or allowlists, blocklists, and C&C Server feeds. You can share a realm across the same feed type for dynamic address, allowlist, blocklist, and CC. For Infected hosts and DDoS, realms cannot be shared across the same feed type. However, you can share a realm across different feed types.

The ATP Cloud/ATP Appliance realm without any assigned sites are not listed here. Only realms with sites associated are listed here.

Note:

If a site is associated with a tenant, the ATP Cloud/ATP Appliance realm displays the list in the <realm-name>(Tenant:<tenant-name>) format.

User Input Type

(Available for Allowlist and Blocklist)

Select one of the following input types for Allowlist and Blocklist:

  • IP, Subnet and Range—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

  • URL and Domain—The following formats are valid:

    • http://www.yourfeed.com

    • https://www.yourfeed.com

    • www.yourfeed.com

    • yourfeed.com

    • yourfeed.com/abc

    Wildcards and protocols are not valid entries.

Custom List

Do one of the following:

  • Click Upload File to upload a text file with an IP address list. Click the Add button to include the address list in your custom list.

    For infected host and DDoS, the uploading file must have the string add at the beginning, followed by the IP addresses. If you want to delete certain IP addresses, enter the string delete followed by the IP addresses to delete.

    Note that the file must contain only one item per line (no commas or semi colons). All items are validated before being added to the custom list.

    The file must not contain more than 500 entries. An error message is shown if you try to upload a file containing more than 500 IP addresses. Use the Feeds with remote file server option to upload a file containing more than 500 IP addresses.

  • Manually enter your item and threshhold value in the space provided in the Custom List section. To add more items, click + to add more spaces.

    For syntax, enter an IPv4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

Table 2: Fields on the Create Custom Feed Page, Feeds with Remote File Server

Field

Description

Name

Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum.

Description

Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators.

Feed Type

Select one of the following custom feeds as a threat prevention type:

  • Dynamic Address

  • Allowlist

  • Blocklist

  • Infected Hosts

  • DDoS

  • CC

Type of Server URL

Select one of the following:

  • http

  • https

Server File URL

Enter the URL for the remote file server.

Certificate Upload

(If the URL type is HTTPS)

Click Browse and select the CA certificate to upload.

If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate.

Username

Enter the credentials for the remote file server.

This is not a mandatory field. You can still proceed to create a custom feed without entering the username.

Password

Enter the credentials for the remote file server.

This is a mandatory field, if you have provided the username.

Update Interval

Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never

Sites

Select the required sites from the list to associate them with the custom feeds.

If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to ATP Cloud UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.