Versions Compared

Old Version 5

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 6

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action. 

...

Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.



The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (to be supported until December 2024 and deprecated after December 2024):

Feed NameDefault ActionDefault Precedence
Default Allow ListAllow - No log1
Default Block ListBlock  – No Redirect2
Infoblox BaseBlock  – No Redirect3
Infoblox Base IPBlock  – No Redirect4
Infoblox High RiskBlock  – No Redirect5
Threat Insight - Zero Day DNSBlock  – No Redirect6
Infoblox Medium RiskBlock  – No Redirect7
Threat insight - DGAAllow – With Log8
Threat Insight - Data ExfiltrationAllow – With Log9
Threat Insight - Fast FluxAllow – With Log10
Threat Insight - DNS MessengerAllow – With Log11
Infoblox Low RiskAllow – With Log12
Infoblox InformationalAllow – With Log13
Threat Insight - Notional Data ExfiltrationAllow – With Log14


The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (to be supported until December 2024 and deprecated after December 2024):

Feed NameDefault ActionDefault Precedence
Default AllowAllow - No log1
Default BlockBlock  – No Redirect2
BaseBlock  – No Redirect3
AntiMalwareBlock  – No Redirect4
Malware_DGABlock  – No Redirect5
RansomwareBlock  – No Redirect6
Threat Insight - Zero Day DNSBlock  – No Redirect7
Suspicious_DomainsBlock  – No Redirect8
Suspicious_LookalikesBlock  – No Redirect9
Suspicious_NOEDBlock  – No Redirect10
Public_DOHBlock  – No Redirect11
Public_DOH_IPBlock  – No Redirect12
NOEDAllow – With Log13
Threat Insight - DGAAllow – With Log14
Threat Insight - Data ExfiltrationAllow – With Log15
Threat Insight - Notional Data ExfiltrationAllow – With Log16
Threat Insight - Fast FluxAllow – With Log17
Threat Insight - DNS MessengerAllow – With Log18
AntiMalware_IPAllow – With Log19
Ext_Base_AntiMalware Allow – With Log20
Ext_RansomwareAllow – With Log21
Ext_AntiMalware_IPAllow – With Log22
DHS_AIS_ DomainAllow – With Log23
CryptocurrencyAllow – With Log24
TOR_Exit_Node_IPAllow – With Log25
BlocklistBlock  – No Redirect26

...

Note
titleNote
  • Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an Allow-With Log policy action and not a Block policy action.
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
  • Make sure that Geolocation option is enabled in Security Policy to ensure that the ECS supported domains should get DNS response accordingly from the authoritative nameservers. For more information, see Best Practices for Data Connector. 
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
Note
titleAdvisory

For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes

For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds

...