Cloud NGFW for AWS
Configure Intelligent Feed on Cloud NGFW for AWS
Table of Contents
Configure Intelligent Feed on Cloud NGFW for AWS
Learn how to configure intelligent feed on your Cloud NGFW resource.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
A security rule object is a single object or collective unit that groups
discrete identities such as IP addresses, fully-qualified domain names (FQDN),
intelligent feeds, or certificates. Typically, when creating a policy object, you
group objects that require similar permissions in policy. For example, if your
organization uses a set of server IP addresses for authenticating users, you can
group the set of server IP addresses as a prefix list object and reference that
prefix list in one or more security rule. Group object allows you to significantly
reduce the administrative overhead in creating rules.
An intelligent feed, also called an external dynamic list, is a list that you or
third-parties can host on an external web server. You can specify the Intelligence
Feed as the source or destination of your security rule. The NGFW checks the hosted
list at hourly or daily intervals, and enforces your security rules based on the
latest entries on your list, without requiring you to make any configuration changes.
- Intelligent Feed—an intelligent feed, also called an external dynamic list (EDL), is an ongoing stream of data related to potential or current threats to an organization’s security. An intelligent feed records and tracks IP addresses and URLs that are associated with threats such as phishing scams, malware, bots, spyware, ransomware, and more.Cloud NGFW includes four built-in intelligent feeds.
- Palo Alto Networks Bulletproof IP Addresses—Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.
- Palo Alto Networks High-Risk IP Addresses—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations. Palo Alto Networks compiles the list of threat advisories, but does not have direct evidence of the maliciousness of the IP addresses.
- Palo Alto Networks Known Malicious IP Addresses—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry. Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
- Palo Alto Networks Tor Exit IP Addresses—Contains IP addresses supplied by multiple providers and validated with Palo Alto Networks threat intelligence data as active Tor exit nodes. Traffic from Tor exit nodes can serve a legitimate purpose, however, is disproportionately associated with malicious activity, especially in enterprise environments.
You can connect your NGFW with Palo Alto Networks built-in intelligence feeds and third-party intelligent feeds to provide up-to-date information about threats to your network. If the connection requires specifying decryption certificates, you can configure Cloud NGFW to use a Cloud NGFW Certificate object described below.
For IP and URL lists:
- IP List—Enforce policy for a list of source or destination IP addresses that emerge ad hoc by using an intelligent feed of type IP address as the source or destination address object in policy rules and configure the NGFW to deny or allow access to the IP addresses included in the list. The NGFW treats an IP List intelligent feed as an address object, and all IP addresses included are handled as one address object.The intelligent feed can include individual IP addresses, subnet addresses (address/mask), or range of IP addresses. In addition, the block list can include comments and special characters such as * , : , ; , #, or /. The syntax for each line in the list is [IP address, IP/Mask, or IP start range-IP end range] [space] [comment].Enter each IP address/range/subnet in a new line; URLs or domains are not supported in this list. A subnet or an IP address range, such as 92.168.20.0/24 or 192.168.20.40-192.168.20.50, count as one IP address entry and not as multiple IP addresses. If you add comments, the comment must be on the same line as the IP address/range/subnet. The space at the end of the IP address is the delimiter that separates a comment from the IP addressAn example IP address list:
192.168.20.10/32 2001:db8:123:1::1 #test IPv6 address 192.168.20.0/24 ; test internal subnet 2001:db8:123:1::/64 test internal IPv6 range 192.168.20.40-192.168.20.50 - URL List—Protect your network from new sources of threat or malware using URLs. The NGFW handles an intelligent feed with URLs like a custom URL category. For more information on the formatting of URL list, see Cloud NGFW on AWS Advanced URL Filtering.
The NGFW requires a certificate object to access the intelligent feed. For more
information, see Add a Certificate to Cloud NGFW for AWS.
- Select Rulestacks and select a previously-created rulestack on which to configure file blocking.Select .Enter a descriptive Name for your intelligent feed.(optional) Enter a description for your intelligent feed.Select the intelligent feed Type.Enter the Source URL.Select the Certificate Profile.Set the Update Frequency—Hourly or Daily.Click Save.
