Versions Compared

Old Version 7

changes.mady.by.user Gary Leicht

Saved on

compared with

New Version 8

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action. 

...

Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.

Info

The recommended feed precedence configurations are for reference only. They represent the results of lab testing in a controlled environment focused on individual protocol services. Enabling additional protocols, services, cache hit ratio for recursive DNS, and customer environment variables will affect performance. To design and size a solution for a production environment, please contact your Infoblox Solution Architect.

The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy (to be supported until December 2024 and deprecated after December 2024):

...

  • When configuring feed precedence order, the default Allow and default Block go on the top section, please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution). Within each of the Block and Allow section, place the high confidence feeds first, followed by medium confidence feeds and finally, the low confidences feed. Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that none of malicious domains are not allowed inadvertently, allowing security policy to perform as intended.


Note
titleNote
  • Given that IP addresses can be reused over a period of time, blocking IP addresses is riskier than blocking domains or hostnames. So, to avoid false positives, for those external or third-party IP-based feeds like DHS_AIS_IP that are added to policy through voluntary addition (other than what’s provided by default), Infoblox recommends only an Allow-With Log policy action and not a Block policy action.
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
  • Make sure that Geolocation option is enabled in Security Policy to ensure that the ECS supported domains should get DNS response accordingly from the authoritative nameservers. For more information, see Best Practices for Data Connector. 
  • Ensure that the precedence order assigned to the Security Policies are properly configured.
Note
titleAdvisory

For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes

For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds

...