Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

Intelligence feeds - FQDN's

We are interested in enabling some public feeds, (sk132193) for dynamic blocking of malicious IP and Domains.

 

My question is, we have had a few hiccups with FQDN rules in the past and have found we should only use FQDN objects in very specific rules (otherwise our box dies from too many dns lookups). So I am wondering what happens if we use a feed such as http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt does the firewall do an immediate lookup of the domains and block the IP's, or does it work in the same way as an FQDN object and do a reverse dns lookup of every packet that passes?

Also is there any issue with using multiple feeds at the same time?

 

keen to hear from someone who has enabled this feature!

 

 

 

0 Kudos
4 Replies
TP_Master
Employee
Employee

Hi Ryan, 

The intelligence feeds feature does not utilize any FQDN objects. It uses the url reputation subsystem that is used by AV and AB blades, so it is simply a match between the url in the traffic and the url in the feed.

You can add more than one feed. In fact, I can share that most of our customers add more than one. 

 

0 Kudos
Ryan_Ryan
Advisor

Hi thanks for that great information.

 

So would that indicate customers without https inspection would not get full benefit from threat feeds that contain URLs? (URL would not be visible in TLS packets) 

0 Kudos
TP_Master
Employee
Employee

Not all malicious sites use HTTPS so it's not that protections are totally inefficient without HTTPS inspection.

That said, I looked into the feed you mentioned and it is actually domain-based. Meaning, these domains can be blocked during the DNS query phase - which happens also if the traffic afterwards is HTTPS.

0 Kudos
Ryan_Ryan
Advisor

Thanks again, in our case we do have full https inspection on so that should be fine. I was just wanting to be 100% sure that it was indeed a layer 7 header inspection rather than DNS. 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events