Versions Compared

Version Old Version 23 New Version 24
Changes made by

Gary Leicht

Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an ‘Allow-With Log’ policy action and not a  ‘Block’ policy action.


Note
titleAdvisory

For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes

 For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds

...

Note
title Feed Precedence Order
  • When configuring feed precedence order, the default Allow and default Block go on the top section, please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution). Within each of the Block and Allow section, place the high confidence feeds first, followed by medium confidence feeds and finally, the low confidences feed. Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that none of malicious domains are not allowed inadvertently, allowing security policy to perform as intended.
  • Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.
  • Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an Allow-With Log policy action and not a Block policy action.

The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy offered by Infoblox as of August 31, 2023. The default actions and precedence described applies only to new accounts created on or after August 31, 2023. Accounts created and configured prior to August 31, 2023 will not be affected by the new default actions and/or precedence described. In the case of prior existing accounts , the actions and precedence in effect at the time of custom list creation will not be altered. Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.


Feed NameDefault ActionDefault Precedence
Default Allow ListAllow - No log1
Default Block ListBlock  – No Redirect2
Base HostnamesBlock  – No Redirect3
AntiMalwareBlock  – No Redirect4
Malware DGA HostnamesBlock  – No Redirect5
RansomwareBlock  – No Redirect6
Threat Insight - Rapid Domain TriageBlock  – No Redirect7
SuspiciousBlock  – No Redirect8
Suspicious LookalikesBlock  – No Redirect9
Suspicious NOEDBlock  – No Redirect10
DOH Public Hostnames Block  – No Redirect11
DOH Public IPsBlock  – No Redirect12
Newly Observed Emergent DomainsAllow – With Log13
Threat Insight - DGAAllow – With Log14
Threat Insight-Data ExfiltrationAllow – With Log15
Threat Insight-Fast FluxAllow – With Log16
Threat Insight-DNS MessengerAllow – With Log17
AntiMalware_IPAllow – With Log18
Threat Insight - Notional Data ExfiltrationAllow – With Log19
Extended Base and Anti-malware HostnamesAllow – With Log20
Extended Ransomware IPsAllow – With Log21
Extended AntiMalware IPsAllow – With Log22
DHS_AIS_ HostnameAllow – With Log23
Cryptocurrency hostnames and domainsAllow – With Log24
TOR Exit Node IPsAllow – With Log25

...