Advisory
For information on the recommended Rule Actions to be applied in preparation of the August 22, 2023 feed changes, see the topic on Recommended Rule Actions in Preparation of the August 2023 Feed Changes.
For information on recommended rule actions to be applied to feeds as replacement to the deprecated SURBL feeds, see Recommended Feed Configuration to Replace the SURBL Feeds.
For each policy rule, such as custom lists, feed and Threat Insight, and category and application filters, you can define the action or override it as one of the following:
- Allow – With Log: Grants traffic access to a domain or IP address that hits a particular feed or security policy, and logs the queries to all relevant reports.
- Allow – No Log: Grants traffic access to a domain or IP address that hits a particular feed or security policy, but does not log the queries to any reports.
- Allow - Local Resolution: This rule action is only available when configuring an application filter. It allows web applications to bypass DNS and resolve on the local host.
- Block – No Redirect: Denies traffic access to a domain or an IP address if it matches that of a particular feed.
- Block – Default Redirect: Routes traffic to the default Infoblox page or a custom message that you have configured for the Redirect Page.
- Block – Redirect – <custom redirect name>: Routes traffic to a destination based on the IP address or domain you have configured for the Redirect Page. For information about how to configure a custom redirect page, see Defining the Redirect Page.
Depending on your subscription level, each feed and Threat Insight policy in the Default Global Policy comes with a default action.
Feed Precedence Order
- When configuring feed precedence order, Please remember to prioritize feeds configured with a Block action (Block - No Redirect, Block - Default Redirect, and/or Block - Redirect - <custom redirect name>) by placing them in positions of higher precedence in your policy compared to feeds configured with an Allow action (Allow - With Log, Allow - No Log, and/or Allow - Local Resolution).Placing Blocked feeds higher in policy precedence order than Allowed feeds ensures that your security policy performs as intended.
- Ensure that you understand the ramification of overriding the default action for any threat feeds and Threat Insight rules before doing so.
The following table lists the default actions and precedence for the feeds and Threat Insight in the Default Global Policy:
| Feed Name | Default Action | Default Precedence |
|---|---|---|
| Base | Block – No Redirect | 1 |
| AntiMalware | Block – No Redirect | 2 |
| Malware_DGA | Block – No Redirect | 3 |
| Ransomware | Block – No Redirect | 4 |
| Public_DOH | Block – No Redirect | 6 |
| Public_DOH_IP | Block – No Redirect | 7 |
| Threat Insight - DGA | Allow – With Log | 8 |
| Threat Insight-Data Exfiltration | Allow – With Log | 9 |
| Threat Insight-Fast Flux | Allow – With Log | 10 |
| Threat Insight-DNS Messenger | Allow – With Log | 11 |
| AntiMalware_IP | Allow – With Log | 12 |
| Ext_Base_AntiMalware | Allow – With Log | 13 |
| Ext_Ransomware | Allow – With Log | 14 |
| Ext_AntiMalware_IP | Allow – With Log | 15 |
| DHS_AIS_Domain | Allow – With Log | 16 |
| CryptoCurrency | Allow – With Log | 17 |
| TOR_Exit_Node_IP | Allow – With Log | 18 |
For information on adding and removing feeds from a security policy, see the following: