Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
...
Feed Name | Default Action | Default Precedence |
---|---|---|
Default Allow | Allow - No log | 1 |
Default Block | Block – No Redirect | 2 |
Base | Block – No Redirect | 3 |
AntiMalware | Block – No Redirect | 4 |
Malware_DGA | Block – No Redirect | 5 |
Ransomware | Block – No Redirect | 6 |
Threat Insight - Zero Day DNS | Block – No Redirect | 7 |
Suspicious_Domains | Block – No Redirect | 8 |
Suspicious_Lookalikes | Block – No Redirect | 9 |
Suspicious_NOED | Block – No Redirect | 10 |
Public_DOH | Block – No Redirect | 11 |
Public_DOH_IP | Block – No Redirect | 12 |
NOED | Allow – With Log | 13 |
Threat Insight - DGA | Allow – With Log | 14 |
Threat Insight - Data Exfiltration | Allow – With Log | 15 |
Threat Insight - Notional Data Exfiltration | Allow – With Log | 16 |
Threat Insight - Fast Flux | Allow – With Log | 17 |
Threat Insight - DNS Messenger | Allow – With Log | 18 |
AntiMalware_IP | Allow – With Log | 19 |
Ext_Base_AntiMalware | Allow – With Log | 20 |
Ext_Ransomware | Allow – With Log | 21 |
Ext_AntiMalware_IP | Allow – With Log | 22 |
DHS_AIS_ Domain | Allow – With Log | 23 |
Cryptocurrency | Allow – With Log | 24 |
TOR_Exit_Node_IP | Allow – With Log | 25 |
Blocklist | Block – No Redirect | 26 |
...
Policy and Feeds Configuration Recommendations
The Custom List configuration should come next, followed by setting up additional feeds and filters in two sections: Block and Allow. Feeds are prioritized above filter rules in each section, and block rules should be established before allowing rules. The high confidence feeds should be placed above the other feeds in each Block and Allow section, then the medium confidence feeds should be placed below them. Lastly, the low confidence feeds should be placed below the medium confidence feeds.
- When configuring feed precedence order, the default Allow and default Block go on the top section, please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution). Within each of the Block and Allow section, place the high confidence feeds first, followed by medium confidence feeds and finally, the low confidences feed. Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that none of malicious domains are not allowed inadvertently, allowing security policy to perform as intended.
Note | ||
---|---|---|
| ||
|
- Ensure that the precedence order assigned to the Security Policies are properly configured.
- Make sure that Geolocation option is enabled in Security Policy to ensure that the ECS supported domains should get DNS response accordingly from the authoritative nameservers. For more information, see Best Practices for Data Connector.
- Ensure that the precedence order assigned to the Security Policies are properly configured.
Note | ||
---|---|---|
| ||
For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes. For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds. |
...