Before deploying combination threat feeds, observe the following best practices to ensure a successful deployment:

1. Choose the set of feeds that best describes your organization: Low, Medium or High.  If in doubt, most organizations are best served with Medium.

2. Deploy the set of feeds together. For example, if “Medium” best describes your organization, deploy both ib-med-block and ib-med-log together.  

3. Do not deploy one set of threat intelligence with any other set. That is, do not deploy Medium together with High. Choose one set and deploy it together and without any other set.

4. Do not deploy a set with any feeds listed in Contents of Combination Feeds. These feeds are already reflected in the combination feeds, so using them together may cause duplication, redundancy, or potential of conflict.

5. Deploy blocking feeds as close to the first policy action as possible (potentially after a global allow list).  

6. Deploy logging feeds after all blocking feeds so as to not accidentally allow an indicator that another feed wanted to block.

What to do if you have already deployed a combination threat feed?

If you have already deployed a combination threat feed, review the best practice recommendations above and make sure that you have followed the guidelines described above. Specifically:

• If you have deployed two or more sets of combination feeds, remove the lower sets as these are already reflected in the higher sets. For example, if you have deployed all three (Low, Medium, and High), remove Low and Medium because the indicators in these sets are already reflected in High.

• If you have deployed one of the sets along with any of the feeds reflected in the Contents of Combination Feeds table at Configuring Combination Threat Feeds , remove those feeds from the policy actions list as they are already reflected in your selected policy group.