NIOS RPZ feed recommendations to use after the feed revamp release in January 2025.
...
This guide aims to facilitate the transition from the soon-to-be deprecated Infoblox Threat Defense feeds approaching end of service to their updated versions which are to be integrated into NIOS Response Policy Zones (RPZ). Infoblox recommends that NIOS users currently relying on the soon-to-be-deprecated feeds switch to the new feeds as they become available in April 2024 to ensure continued comprehensive threat protection.
Best Practices
| Note |
|---|
Though the old to new feeds are shown for parity reasons, you need to configure per your appliance sizing. If you need the feed, but your appliance cannot handle that volume, please work with sales to upgrade the appliance. |
Infoblox recommends the following as best practices for customers currently using the feeds to be Infoblox recommends the following as best practices for customers currently using the feeds to be deprecated.
Remove all to-be-deprecated feeds from NIOS RPZ prior to their EOS date in January 2025. Replace the deprecated feeds with the recommendations as provided by Infoblox. When the to-be-deprecated feeds reach EOS, NIOS will no longer be able to sync them from the Infoblox Portal, leading to an error state.
When replacing feeds with the recommendations below, consider policy settings, eg., logging vs blocking, of currently used feeds and replicate them for the replacements.
...
The following NIOS RPZ feeds are available based on your subscription level.
| Note |
|---|
Though the old to new feeds are shown for parity reasons, you need to configure per your appliance sizing. If you need the feed, but your appliance cannot handle that volume, please work with sales to upgrade the appliance. |
...
Feed Availability
...
Feed Name
...
Essentials
...
Business On-Prem
Feed Availability | |||
|---|---|---|---|
Feed Name | Essentials | Business On-Prem | Advanced |
Infoblox Base | ✔ | ✔ | ✔ |
Infoblox Base IP | NA | ✔ | ✔ |
Infoblox High Risk | NA | NA | ✔ |
Infoblox Medium Risk | NA | NA | ✔ |
Infoblox Low Risk | NA | NA | ✔ |
Infoblox Informational | NA | ✔ | ✔ |
For information for adding the new feeds and sizing requirements to your appliance, see Sizing Guidelines for Trinzic Appliances.
...
Feed Name | RPZ Feed Name | Description |
Infoblox Base | infoblox-base.rpz.infoblox.local | Infoblox Base feed enables protection against known malicious or compromised domains. This includes known Malware, Ransomware, APTs, exploit kits, malicious Name Servers, sinkholes etc. We recommend blocking them for all users. |
Infoblox Base IP | infoblox-base-ip.rpz.infoblox.local | Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking them for all users |
Infoblox High Risk | infoblox-high-risk.rpz.infoblox.local | Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It's very likely to be used in a malicious act at some point. These domains though unconfirmed carry high threat and high confidence, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicous NOED (Newly Observed Emergent Domains) with high combined score of threat and confidence levels. |
Infoblox Medium Risk | infoblox-med-risk.rpz.infoblox.local | Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with lower combined score of Threat and Confidence level than High Risk feed but higher than Low Risk feed. It's still could likely be used in a malicious act, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels. |
Infoblox Low Risk | infoblox-low-risk.rpz.infoblox.local | Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It's possible it can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. Its recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with lower combined score of threat and low levels |
Infoblox Informational | infoblox-informational.rpz.infoblox.local | Infoblox Informational: Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. This feed carries Newly Observed Emergent Domains (NOED). It's recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments (as new domains are not mission critical for the most part and best to enable them when they are established for a longer time). |
| Note |
|---|
Though the old to new feeds are shown for parity reasons, you need to configure per your appliance sizing. If you need the feed, but your appliance cannot handle that volume, please work with sales to upgrade the appliance. |
Recommended Replacement Feed Mapping for NIOS (based on subscription level)
...
Recommended Replacement Feed Mapping for NIOS (based on subscription level)
The following are the recommended NIOS feed replacements based on subscription level. For Infoblox Threat Defense Advanced, special attention must be placed on your appliance capacity when selecting replacement feeds.
...
Infoblox Business On-Prem and Business Cloud subscriptions contain all feeds included with the Infoblox Essentials subscription plus the following RPZ feeds:
...
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Warning: Old feed to New feeds conversion are shown for parity reasons, you . You need to configure per your appliance and what is allowed per the appliance sizing. If you need the feed, but your appliance cannot handle that volume, please work with sales to upgrade the appliance. For information on feed recommendation per appliance sizing, please see Sizing Guidelines for Trinzic Appliances. |
Infoblox Threat Defense Business On-Prem and Business Cloud RPZ Feed Mapping(old to new feeds) | ||
|---|---|---|
Old Feeds | to | New Feeds |
Infoblox Antimalware IP | => | Infoblox Base IP |
Newly Observed Emergent Domains (NOED) | => | Infoblox Informational |
Infoblox Business On-Prem contains all feeds included with Infoblox Essentials subscription in addition to the feeds listed above. | ||
...