For each policy ruleRule actions define how traffic is handled based on policy rules, such as custom lists, feed and feeds, Threat Insight, and category and application filters. For each rule, you can define specify or override the action or override it as with one of the following options:
Rule Actions:
Allow – With Log:
Grants traffic access to a domain or IP address that hits a
...
specific feed or security policy
...
and logs the queries
...
in all relevant reports.
Allow – No Log:
Grants traffic access to a domain or IP address that hits a
...
specific feed or security policy, but does not log the queries
...
in any reports.
Allow
...
– Local Resolution:
...
Only available for application filters.
Allows web applications to bypass DNS and resolve locally on the
...
host.
...
Block – No Redirect:
Denies traffic access to a domain or
...
IP address if it matches
...
a
...
specific feed.
Block – Default Redirect:
Routes traffic to the default Infoblox page or to a custom message
...
configured for the Redirect Page.
Block – Redirect –
<custom redirect name>:
Routes traffic to a destination based on the IP address or domain you have configured for the Redirect Page.For information about
...
configuring a custom redirect page, see Defining the Redirect Page.
Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
...
| title | Recommended Actions |
|---|
New feed recommendations: It is recommended that you do the following regarding the new feeds:
- Add Suspicious Domains with one of the policy actions to Block.
- Add Suspicious Lookalikes with one of the policy actions to Block.
- Add Suspicious NOED with one of the policy actions to Block.
The following table includes the list of feeds that we will be retiring:
Feed | RPZ Name | Retirement Date | Reason |
Bot-IP | bot-ip.rpz.infoblox.local | 4/1/2023 | IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant. |
Spambot-IP | spambot-ip.rpz.infoblox.local | 4/1/2023 | |
ExploitKit_IP | exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_ExploitKit_IP | ext-exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_TOR_Exit_Node_IP | ext-tor-exit-node-ip.rpz.infoblox.local | June 2023 | |
NCCIC_Host | nccic-host.rpz.infoblox.local | June 2023 | The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant. |
NCCIC_IP | nccic-ip.rpz.infoblox.local | June 2023 |
As these feeds are being retired, NIOS platforms will no longer be able to download them. This may present itself as a problem with the Zone transfer. To avoid this issue, these feeds should be removed as soon as possible. As they have been empty for a long time, there will be no negative effect on the organization’s security posture. This only affects NIOS platforms using these RPZ feeds, as cloud-based configurations are updated automatically.
| Note | ||
|---|---|---|
| ||
Ensure that you understand the ramification when overriding the default action for any threat feeds and Threat Insight rules before you do so. |
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy:
...
Related Information:
For details on adding or removing feeds from a security policy, see the following topics:
...