Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
...
Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.
| Feed Name | Default Action | Default Precedence |
|---|
| Default Allow | Allow - No log | 1 |
| Default Block | Block – No Redirect | 2 |
| Base | Block – No Redirect | 3 |
| AntiMalware | Block – No Redirect | 4 |
| Malware_DGA | Block – No Redirect | 5 |
| Ransomware | Block – No Redirect | 6 |
| Threat Insight - Zero Day DNS | Block – No Redirect | 7 |
| Suspicious_Domains | Block – No Redirect | 8 |
| Suspicious_ | Block – No Redirect | 9 |
| Suspicious_NOED | Block – No Redirect | 10 |
| Public_DOH | Block – No Redirect |
7| 11 |
| Public_DOH_IP | Block – No Redirect |
8 | 12 |
| NOED | Allow – With Log | 13 |
| Threat Insight - DGA | Allow – With Log |
9| 14 |
| Threat Insight - Data Exfiltration | Allow – With Log |
10| 15 |
| Threat Insight - Notional Data Exfiltration | Allow – With Log |
11| 16 |
| Threat Insight - Fast Flux | Allow – With Log |
12| 17 |
| Threat Insight - DNS Messenger | Allow – With Log |
13| 18 |
| AntiMalware_IP | Allow – With Log |
14| 19 |
| Ext_Base_AntiMalware | Allow – With Log |
15| 20 |
| Ext_Ransomware | Allow – With Log |
16| 21 |
| Ext_AntiMalware_IP | Allow – With Log |
17| 22 |
| DHS_AIS_ Domain | Allow – With Log |
18| 23 |
| Cryptocurrency | Allow – With Log |
19| 24 |
| TOR_Exit_Node_IP | Allow – With Log |
20| 25 |
| Blocklist | Block – No Redirect |
21
Infoblox recommends adhering to the following best practices when configuring feed precedence.
...
| Note |
|---|
|
- Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an Allow-With Log policy action and not a Block policy action.
|
- Ensure that the precedence order assigned to the Security Policies are properly configured.
- Make sure that Geolocation option is enabled in Security Policy to ensure that the ECS supported domains should get DNS response accordingly from the authoritative nameservers. For more information, see Best Practices for Data Connector.
- Ensure that the precedence order assigned to the Security Policies are properly configured.
| Note |
|---|
|
For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes. For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds. |
...
