Create a Post
Showing results for 
Search instead for 
Did you mean: 
Employee Employee

IOC feed - end user experience

Just wondering if anyone who has deployed IOC feeds (sk132193 ) has ever thought that end user gets two totally different experiences depending on how the feed is set up. I'm referring to feed based on domain names / URLs btw.

Basically if you block the whole domain (i.e. in log screenshot below) you will get a blank screen reporting that name lookup failed as FW will block it (or return DNS Trap IP if configured). So if I'm just a regular person, seeing blank screen with obscure Name_err message is not very helpful.

Example screenshot:






Whereas second case where we block a specific path in the domain (, end user will get a proper "Access Blocked" webpage generated by FW AntiBot/AntiVirus blade. Very informative and helpful.

You can actually see which type of protection actually kicked in (URL vs DNS)



I realise that DNS block is way more effective from security point of view as no data is actually is transmitted plus less resource hungry. But I still find that "educating" end user is a big and important piece. And those well defined "Access blocked" webpages are really helpful.

Question is - is it possible to customise IOC feed behaviour on AB/AV balde so that we allow DNS request through and display proper block page in the browser?

4 Replies
Champion Champion

It doesn't seem to be possible to create another IOC observable to let the DNS lookup for go through by specifying an action of Inactive only if it is on UDP port 53.  But maybe you could create a TP exception like this:

Protected Scope: Any

Source: Any

Destination: Any

Protection/Site/File/Blade: (IOC Observable for

Services: dns (this is the key)

Action: Inactive

Track: Log

Wouldn't this exception let the DNS lookup for go through because it is on UDP port 53 and matches the exception, but then let the URL be blocked and return the informative UserCheck to the user via a URL Reputation Block?


Gateway Performance Optimization R81.20 Course
now available at
Employee Employee

It's worth a try but would require "special" translation app to handle such case to create two lines for the feed! Thanks for the idea Tim!

0 Kudos

IOC URL Indicator work on HTTP traffic and IOC Domain indicator work on DNS + HTTP traffic

Currently, IOC feature doesn't support define a specific protocol for domain 

0 Kudos
Employee Employee

thanks @rachelda !

I've played a bit more now and changed the feed type from domain to URL, but I'm still getting very inconsistent results. You can see two examples below:


1) gave me AB userchek block page very first time, but later DNS started being blocked and blank response in browser. Could be it will generate block message only once per session

2) yandex case just gave me blank page = DNS was blocked. 

Screenshot shows difference between two cases - first one generated log for both - DNS and URL reputation. The second only DNS. Even though both are defined as URL feeds.




0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events