topic Re: ioc_feeds whitelist in Firewall and Security Management

ioc_feeds whitelist

skidsteerpilot — Thu, 04 Nov 2021 13:58:41 GMT

re: R80.40

We are ingesting ioc feeds via ioc_feeds command. We would like to have a process in place for whitelisting individual ip/url/domain in case the need arises. The logs show the feeds are being processed via anti-bot and anti-virus blades. What would be the most efficient method to accomplish this?

Re: ioc_feeds whitelist

PhoneBoy — Fri, 05 Nov 2021 04:19:17 GMT

IOC Feeds are done by AB/AV blades.
@TP_Master is there a way to explicitly allow something that would be blocked by an ioc_feed?

Re: ioc_feeds whitelist

skidsteerpilot — Fri, 03 Dec 2021 15:52:38 GMT

We are still looking for a solution to whitelisting individual domain/url/ip that are ingested via ioc_feeds. TAC has not been able to provide a solution.

We are currently manually removing domain/url/ip that we need access to (false positives) and repushing ioc_feeds. This has to be done on a separate feed server and then the push on the gateway. This process is not sustainable.

We have tried:
1. using the "Add Exception" link on the Prevent log associated with the lookup
2. create manual "Global" exception using "Domain" as "Destination"
3. create manual "Global" exception using "Custom Application Site" and domain regex as seen in SK165094
4. 3&4 in "Recommended Protections Exceptions"

Maybe this can not be done, but I would think anyone using ioc_feeds would have a viable solution to whitelist individual entries as users discover false positives.

A caveat we have discovered is after an exception is put in place, there seems to be a short window of opportunity where it appears the exception is working, possible during reload, but then it fails. The 'window' seems to range in time, nothing specific. So, when working with TAC or on our own, there have been several occasions of high-fives, only later to discover the site in question is still blocked.

If anyone is working with ioc_feeds and has a whitelisting process that works, we would be interested to hear how that happens.

Re: ioc_feeds whitelist

huseyinyildirim — Fri, 01 Apr 2022 08:28:37 GMT

Any developments with this? I am facing the same issue and have not been able to figure out how to whitelist individual url/ip?

Re: ioc_feeds whitelist

skidsteerpilot — Fri, 01 Apr 2022 13:05:16 GMT

Unfortunately not. I've ended up creating a separate text file of ip/urls to whitelist and then added a function in the script that creates the feed lists to remove any items found in that whitelist file. Thankfully, there have only been a handful that we have had to apply this to. Not elegant, but functional (so far).

Re: ioc_feeds whitelist

PhoneBoy — Fri, 01 Apr 2022 13:37:29 GMT

There is a feature in R81.20 that might work better here for this use case: Network Feed object.
This should support both IPs and URLs and can be used in the Access Policy, making it significantly more flexible.

Re: ioc_feeds whitelist

skidsteerpilot — Fri, 01 Apr 2022 13:41:59 GMT

That sounds good. We're on R80.40. Upgrade planning is in progress so will look forward to this! Thank you.