Versions Compared

Old Version 2

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 3

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action. 

...

Feed NameDefault ActionDefault Precedence
Default Allow ListAllow - No log1
Default Block ListBlock  – No Redirect2
Base HostnamesBlock  – No Redirect3
AntiMalwareBlock  – No Redirect4
Malware_DGA HostnamesBlock  – No Redirect5
RansomwareBlock  – No Redirect6Threat Insight - Rapid Domain Triage
Public_DOHBlock  – No Redirect7
SuspiciousBlock  – No Redirect8
Suspicious LookalikesBlock  – No Redirect9
Suspicious NOEDBlock  – No Redirect10
DOH Public Hostnames Block  – No Redirect11
DOH Public IPsPublic_DOH_IPBlock  – No Redirect12Newly Observed Emergent Domains8
Threat Insight - DGAAllow – With Log139
Threat Insight - DGAData ExfiltrationAllow – With Log1410
Threat Insight - Notional Data ExfiltrationAllow – With Log1511
Threat Insight - Fast FluxAllow – With Log1612
Threat Insight - DNS MessengerAllow – With Log1713
AntiMalware_IPAllow – With Log18
Threat Insight - Notional Data ExfiltrationAllow – With Log19
Extended Base and Anti-malware Hostnames14
Ext_Base_AntiMalware Allow – With Log2015
Extended Ext_Ransomware IPsAllow – With Log2116
Extended Ext_AntiMalware IPs_IPAllow – With Log2217
DHS_AIS_ HostnameDomainAllow – With Log2318
Cryptocurrency hostnames and domainsAllow – With Log2419
TOR_Exit_Node IPs_IPAllow – With Log2520
BlocklistBlock  – No Redirect21


Infoblox recommends adhering to the following best practices when configuring feed precedence. 

...

Note
titleNote
  • Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an Allow-With Log policy action and not a Block policy action.
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
  • Make sure that Geolocation option is enabled in Security Policy to ensure that the ECS supported domains should get DNS response accordingly from the authoritative nameservers. For more information, see Best Practices for Data Connector. 
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
Note
titleAdvisory

For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes

For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds

...