For each policy rule, such as custom lists, feed and Threat Insight, and category and application filters, you can define the action or override it as one of the following:
- Allow – With Log: Grants traffic access to a domain or IP address that hits a particular feed or security policy, and logs the queries to all relevant reports.
- Allow – No Log: Grants traffic access to a domain or IP address that hits a particular feed or security policy, but does not log the queries to any reports.
- Allow - Local Resolution: This rule action is only available when configuring an application filter. It allows web applications to bypass DNS and resolve on the local host.
- Block – No Redirect: Denies traffic access to a domain or an IP address if it matches that of a particular feed.
- Block – Default Redirect: Routes traffic to the default Infoblox page or a custom message that you have configured for the Redirect Page.
- Block – Redirect – <custom redirect name>: Routes traffic to a destination based on the IP address or domain you have configured for the Redirect Page. For information about how to configure a custom redirect page, see Defining the Redirect Page.
Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
Recommended Actions
New feed recommendations: It is recommended that you do the following regarding the new feeds:
- Add Suspicious Domains with one of the policy actions to Block.
- Add Suspicious Lookalikes with one of the policy actions to Block.
- Add Suspicious NOED with one of the policy actions to Block.
The following table includes the list of feeds that we will be retiring:
Feed | RPZ Name | Retirement Date | Reason |
Bot-IP | bot-ip.rpz.infoblox.local | 4/1/2023 | IP addresses are frequently reused for multiple sites, and blocking the ones associated with such systems ran the high risk of inadvertent blocking (I.E. False Positive). Many indicators here could be blocked in other ways, so the source is blocked in other similar feeds, making this redundant. |
Spambot-IP | spambot-ip.rpz.infoblox.local | 4/1/2023 | |
ExploitKit_IP | exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_ExploitKit_IP | ext-exploitkit-ip.rpz.infoblox.local | June 2023 | |
Ext_TOR_Exit_Node_IP | ext-tor-exit-node-ip.rpz.infoblox.local | June 2023 | |
NCCIC_Host | nccic-host.rpz.infoblox.local | June 2023 | The curation process for these feeds (I.E. removing false positives) frequently left these feeds empty. The ones that remained are present in other feeds, making these feeds redundant. |
NCCIC_IP | nccic-ip.rpz.infoblox.local | June 2023 |
As these feeds are being retired, NIOS platforms will no longer be able to download them. This may present itself as a problem with the Zone transfer. To avoid this issue, these feeds should be removed as soon as possible. As they have been empty for a long time, there will be no negative effect on the organization’s security posture. This only affects NIOS platforms using these RPZ feeds, as cloud-based configurations are updated automatically.
Note
Ensure that you understand the ramification when overriding the default action for any threat feeds and Threat Insight rules before you do so.
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy:
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| AntiMalware | Block – No Redirect | 1 |
| Base | Block – No Redirect | 2 |
| DHS_AIS_Domain | Block – No Redirect | 3 |
| Malware_DGA | Block – No Redirect | 4 |
| Ransomware | Block – No Redirect | 5 |
| Suspicious_NOED | Block – No Redirect | 6 |
| Suspicious_Lookalikes | Block – No Redirect | 7 |
| Suspicious_Domains | Block – No Redirect | 8 |
| AntiMalware_IP | Allow – With Log | 9 |
| Bogon | Allow – With Log | 10 |
| DHS_AIS_IP | Allow – With Log | 11 |
| Ext_AntiMalware_IP | Allow – With Log | 12 |
| Ext_Base_AntiMalware | Allow – With Log | 13 |
| Ext_Ransomware | Allow – With Log | 14 |
| US_OFAC_Sanctions_IP_Embargoed | Allow – With Log | 15 |
| TOR_Exit_Node_IP | Allow – With Log | 16 |
| Threat Insight-Data Exfiltration | Allow – With Log | 17 |
| Threat Insight - DGA | Allow – With Log | 18 |
| Threat Insight-DNS Messenger | Allow – With Log | 19 |
| Threat Insight-Fast Flux | Allow – With Log | 20 |
| CryptoCurrency | Allow – With Log | 21 |
| Spambot_DNSBL_IP | Allow – With Log | 22 |
| NOED | Allow – With Log | 23 |
| FarSightNOD | Allow – With Log | 24 |
| ETQRisk | Allow – With Log | 25 |
| ETQRisk_IP | Allow – With Log | 26 |
| EECN_IP | Allow – No Log | 27 |
| Public_DOH | Allow – No Log | 28 |
| Public_DOH_IP | Allow – No Log | 29 |
For information on adding and removing feeds from a security policy, see the following: