| Note | ||
|---|---|---|
| ||
For information on the recommended Rule Actions to be applied to feeds for the upcoming, August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation for the August Feed Deprecations. |
For each policy rule, such as custom lists, feed and Threat Insight, and category and application filters, you can define the action or override it as one of the following:
...
Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
...
| title | Recommended Actions |
|---|
New feed recommendations: It is recommended that you do the following regarding the new feeds:
- Add Suspicious Domains with one of the policy actions to Block.
- Add Suspicious Lookalikes with one of the policy actions to Block.
- Add Suspicious NOED with one of the policy actions to Block.
The following table includes the list of feeds that we will be retiring:
...
Feed
...
RPZ Name
...
Retirement Date
...
Reason
...
Bot-IP
...
bot-ip.rpz.infoblox.local
...
4/1/2023
...
IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant.
...
Spambot-IP
...
spambot-ip.rpz.infoblox.local
...
4/1/2023
...
ExploitKit_IP
...
exploitkit-ip.rpz.infoblox.local
...
June 2023
...
Ext_ExploitKit_IP
...
ext-exploitkit-ip.rpz.infoblox.local
...
June 2023
...
Ext_TOR_Exit_Node_IP
...
ext-tor-exit-node-ip.rpz.infoblox.local
...
June 2023
...
NCCIC_Host
...
nccic-host.rpz.infoblox.local
...
The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant. | ||
NCCIC_IP | nccic-ip.rpz.infoblox.local | June 2023 |
| Note | ||
|---|---|---|
| ||
Ensure that you understand the ramification when overriding the default action for any threat feeds and Threat Insight rules before you do so. |
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy:
| Feed Name | Default Action | Default Precedence |
|---|
| Base | Block – No Redirect | 1 |
| AntiMalware | Block – No Redirect | 2 |
| Malware_ |
| DGA | Block – No Redirect | 3 |
| Ransomware | Block – No Redirect | 4 |
| SURBL_Multi | Block – No Redirect | 5 |
| Public_ |
| DOH | Block – No Redirect | 6 |
| Public_DOH_ |
| IP | Block – No Redirect | 7 |
| Threat Insight - DGA | Allow – With Log | 8 |
| Threat Insight-Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-Fast Flux | Allow – With Log | 10 |
| Threat Insight-DNS Messenger | Allow – With Log | 11 |
| AntiMalware_IP | Allow – With Log | 12 |
| Ext_Base_AntiMalware | Allow – With Log | 13 |
| Ext_Ransomware | Allow – With Log | 14 |
| Ext_ |
| AntiMalware_ |
| IP |
| Allow – With Log | 15 |
| SURBL_Fresh | Allow – With Log | 16 |
| DHS_AIS_Domain | Allow – With Log | 17 |
| CryptoCurrency | Allow – With Log | 18 |
| TOR_Exit_Node_IP | Allow – With Log |
| 19 |
| Blocklist |
| Block – No |
| Redirect | 20 |
For information on adding and removing feeds from a security policy, see the following: