Precedence Rules for Security Policies
- Gary Leicht
Precedence Order
Infoblox Threat Defense enforces security policies in an ascending precedence order in which the policy rule with the lowest precedence order has the highest priority in the evaluation process. The precedence order for executing rules in a security policy, from highest to lowest order of precedence, is as follows:
Default Lists
Custom Lists
Feeds and Threat insights
Category Filters
Application Filters
Default Policy Rules shown with precedence order - shown as an example
General Rules:
Apart from the Default & Custom section section - Block feeds should be listed above Allow feeds.
Within each Block or Allow Section - feeds are listed based on confidence (High, Med, then Low).
Table legend | High Confidence feed |
| Medium Confidence feed |
| Low Confidence feed |
Feed | Default Action | Precedence | Section |
Default Allow | ALLOW - No Log | 1 | Default Section |
Default Block | BLOCK - No Redirect | 2 | |
| |||
Infoblox Base | BLOCK - No Redirect | 3 | Block Section |
Infoblox Base IP | BLOCK - No Redirect | 4 | |
Infoblox High Risk | BLOCK - No Redirect | 5 | |
Threat Insight - Zero Day DNS | BLOCK - No Redirect | 6 | |
Infoblox Medium Risk | BLOCK - No Redirect | 7 | |
| |||
Infoblox Low Risk | ALLOW - With Log | 8 | Allow Section |
Infoblox Informational | ALLOW - With Log | 9 | |
Threat Insight - DGA | ALLOW - With Log | 10 | |
Threat Insight - Data Exfiltration | ALLOW - With Log | 11 | |
Threat Insight - DNS Messanger | ALLOW - With Log | 12 | |
Threat Insight - Notional Data Exfiltration | ALLOW - With Log | 13 | |
| |||
Bogon | Not Included |
| Policy Rules: (user can add these with corresponding action - per their policy) |
Cryptocurrency hostnames and domains | Not Included |
| |
TOR Exit Node IPs | Not Included |
| |
DHS_AIS_IP | Not Included |
| |
EECN IPs | Not Included |
| |
Spambot IPs DNSBL | Not Included |
| |
US OFAC Sanctions IPs | Not Included |
| |
Sanctions Med | Not Included |
| |
Sanctions High | Not Included |
| |
Farsight Newly Observed Domains (NOD) | Not Included |
| |
Proofpoint ETIQRisk Hostname | Not Included |
| |
Proofpoint ETIQRisk IP | Not Included |
| |
Default Policy Rules with content and application categorization rules shown with precedence order - shown as an example
General Rules:
Apart from the Default & Custom section section - Block feeds should be listed above Allow feeds.
Within each Block or Allow Section - feeds are listed based on confidence (High, Med, then Low).
Table legend | High Confidence feed |
| Medium Confidence feed |
| Low Confidence feed |
Feed | Default Action | Precedence |
|
Default Allow | ALLOW - No Log | 1 | Default and Custom (if any) Section |
Default Block | BLOCK - No Redirect | 2 | |
Custom List (if any manually configured) | BLOCK - No redirect | 3 | |
| |||
Infoblox Base | BLOCK - No Redirect | 4 | Block Section |
Infoblox Base IP | BLOCK - No Redirect | 5 | |
Infoblox High Risk | BLOCK - No Redirect | 6 | |
Threat Insight - Zero Day DNS | BLOCK - No Redirect | 7 | |
Infoblox Medium Risk | BLOCK - No Redirect | 8 | |
Categorization filter (if any manually configured) | BLOCK - No redirect | 9 | |
Application filter (if any manually configured) | BLOCK - No redirect | 10 | |
| |||
Infoblox Low Risk | ALLOW - With Log | 11 | Allow Section |
Infoblox Informational | ALLOW - With Log | 12 | |
Threat Insight - DGA | ALLOW - With Log | 13 | |
Threat Insight - Data Exfiltration | ALLOW - With Log | 14 | |
Threat Insight - DNS Messanger | ALLOW - With Log | 15 | |
Threat Insight - Notional Data Exfiltration | ALLOW - With Log | 16 | |
Categorization filter (if any manually configured) | ALLOW - With Log | 17 | |
Application filter (if any manually configured) | ALLOW - With Log | 18 | |