Create Allowlists and Blocklists
Access these pages from Shared Services > ATP > Allowlists or Blocklists.
Use these pages to configure custom trusted and untrusted lists. You can also upload hash files.
Content downloaded from locations on the allowlist is trusted and does not have to be inspected for malware. Hosts cannot download content from locations on the blocklist, because those locations are untrusted.
-
Read the Allowlist and Blocklist Overview topic.
-
Decide on the type of item you intend to define: URL, IP, Hash, E-mail sender, C&C, ETI, or DNS,
-
Review current list entries to ensure the item you are adding does not already exist.
-
If you are uploading hash files, the files must be in a text file with each hash on its own single line.
To create Juniper ATP Cloud allowlists or blocklists:
Refer to the following tables for the data required by each tab.
IP
When you create a new IP list item, you must select the Type of list as IP. You must enter the required information. See the following table.
|
Setting |
Guideline |
|---|---|
|
IP |
Enter the IPv4 or IPv6 IP address. For example: 1.2.3.4 or 0:0:0:0:0:FFFF:0102:0304. CIDR notation and IP address ranges are also accepted. Any of the following IPv4 formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6. Any of the following IPv6 formats are valid: 1111::1, 1111::1-1111::9, or 1111:1::0/64. Note:
Address ranges: No more than a block of /16 IPv4 addresses and /48 IPv6 addresses are accepted. For example, 10.0.0.0-10.0.255.255 is valid, but 10.0.0.0-10.1.0.0 is not. Bitmasks: The maximum amount of IP addresses covered by bitmask in a subnet record for IPv4 is 16 and for IPv6 is 48. For example, 10.0.0.0/15 and 1234::/47 are not valid. |
|
Note:
To edit an existing allowlist or blocklist IP entry, select the check box next to the entry you want to edit, click the pencil icon and click OK. |
|
URL
When you create a new URL list item, you must choose the Type of list: URL. Enter the required information. See the following table.
|
Setting |
Guideline |
|---|---|
|
URL |
Enter the URL using the following format: juniper.net. Wildcards and protocols are not valid entries. The system automatically adds a wildcard to the beginning and end of URLs. Therefore juniper.net also matches a.juniper.net, a.b.juniper.net, and a.juniper.net/abc. If you explicitly enter a.juniper.net, it matches b.a.juniper.net, but not c.juniper.net. You can enter a specific path. If you enter juniper.net/abc, it matches x.juniper.net/abc, but not x.juniper.net/123. |
|
Note:
To edit an existing allowlist or blocklist URL entry, select the check box next to the entry you want to edit, click the pencil icon and click OK. |
|
Hash File
When you upload a hash file, it must be in a text file with each hash on its own single line. You can only have one running hash file. To add to it or edit it, see the instructions in the following table.
|
Field |
Guideline |
|---|---|
|
You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running hash file containing up to 15,000 file hashes. This is the “current” list, but you can add to it, edit it, and delete it at any time. |
|
|
SHA-256 Hash Item |
To add to hash entries, you can upload several text files and they will automatically combine into one file. See all, merge, delete and replace options below. Download—Click this button to download the text file if you want to view or edit it. You can select any of the following options from the Select Hash File Items Upload Option drop-down list:
Delete All or Delete Selected—Sometimes it’s more efficient to delete the current list rather than downloading it and editing it. Click this button to delete the current selected list or all lists that have been added and accumulated here. |
|
Source |
This says either Allowlist or Blocklist. |
|
Date Added |
The month, date, year, and time when the hash file was last uploaded or edited. |
Email Sender
Add email addresses to be allowlist or blocklist if found in either the sender or recipient of an email communication. Add addresses one at a time using the + icon.
|
Field |
Guideline |
|---|---|
|
Email address |
Enter an email address in the format name@domain.com. Wildcards and partial matches are not supported, but if you want to include an entire domain, you could enter only the domain as follows: domain.com |
|
If an email matches the blocklist, it is considered to be malicious and is handled the same way as an email with a malicious attachment. The email is blocked and a replacement email is sent. If an email matches the allowlist, that email is allowed through without any scanning. See SMTP Quarantine Overview. It is worth noting that attackers can easily fake the “From” email address of an email, making blocklists a less effective way to stop malicious emails. |
|
C&C Server
When you allowlist a C&C server, the IP or hostname is sent to Juniper Secure Edge to be excluded from any security intelligence blocklists or C&C feeds (both Juniper’s global threat feed and third party feeds). The server will also now be listed under the C&C allowlist management page.
You can enter C&C server data manually or upload a list of servers. That list must be a text file with each IP or Domain on its own single line. The text file must include all IPs or all Domains, each in their own file. You can upload multiple files, one at a time.
You can also manage allowlist and blocklist entries using the Threat Intelligence API. When adding entries to the allowlist/blocklist data, these will be available in the Threat Intelligence API under the following feed names: “whitelist_domain” or “whitelist_ip”, and “blacklist_domain” or “blacklist_ip.” See the Juniper ATP Cloud Threat Intelligence Open API Setup Guide for details on using the API to manage any custom feeds.
|
Field |
Guideline |
|---|---|
|
Type |
Select IP to enter the IP address of a C&C server that you want to add to the allowlist. Select Domain to allowlist an entire domain on the C&C server list. |
|
IP or Domain |
For IP, enter an IPv4 or IPv6 address. An IP can be IP address, IP range or IP subnet. For domain, use the following syntax: juniper.net. Wildcards are not supported. |
|
Description |
Enter a description that indicates why an item has been added to the list. |
|
You can also allowlist C&C servers directly from the C&C Monitoring page details view. See Command and Control Server Details. Warning:
Adding a C&C server to the allowlist automatically triggers a remediation process to update any affected hosts (in that realm) that have contacted the whitelisted C&C server. All C&C events related to this allowlisted server will be removed from the affected hosts’ events, and a host threat level recalculation will occur. If the host score changes during this recalculation, a new host event appears describing why it was rescored. (For example, “Host threat level updated after C&C server 1.2.3.4 was cleared.”) Additionally, the server will no longer appear in the list of C&C servers because it has been cleared. |
|
Encrypted Traffic Insights (ETI)
You can specify the IP address or domain names that you want to allowlist from encrypted traffic analysis. Use this tab to add, modify, or delete the allowlists for encrypted traffic analysis.
|
Field |
Guideline |
|---|---|
|
Type |
Select whether you want to specify the IP address or domain name for the allowlist. |
|
IP or Domain |
Enter the IP address or domain name for the allowlist. |
Domain Name System (DNS)
You can specify the domains that you want to allowlist from DNS filtering. Use this tab to add, modify, or delete the allowlists for DNS filtering.
|
Field |
Guideline |
|---|---|
|
URL |
Enter the URL for domain that you want to allowlist. |
|
Comments |
Enter a description that indicates why the domain has been added to the list. |
Juniper ATP Cloud periodically polls for new and updated content and automatically downloads it to Juniper Secure Edge. There is no need to manually push your allowlist or blocklist files.