Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating Blocklists for Juniper ATP Cloud Email and Malware Management

 

Use the Modify Blocklist page to add email addresses, IP addresses, and URLs to the blocklist. A blocklist contains known untrusted IP addresses, URLs, and domains. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.

Before You Begin

  • Read the Juniper ATP Cloud Email Management Overview topic.

  • Read the Juniper ATP Cloud Malware Management Overview topic.

  • Compile a list of known malicious email addresses or domains to add to your blocklist. If an email matches the blocklist, it is considered to be malicious and is handled the same way as an email with a malicious attachment, blocked and a replacement email is sent. If an email matches the allowlist, that email is allowed through without any scanning.

  • It is worth noting that attackers can easily fake the “From” email address of an email, making blocklists a less effective way to stop malicious emails.

  • Decide on the type of location you intend to define: URL or IP address.

  • Review the current list of entries to ensure that the item you are adding does not already exist.

To configure the blocklists:

  1. Select Configure>Threat Prevention> Feed Sources.

    The Feed Sources page appears.

  2. Under the ATP Cloud tab, right-click the ATP Cloud realm or from the More list, select Blocklist.

    The Modify Blocklist page appears.

  3. Click the + sign to add more entries to the blocklist.
  4. Complete the configuration by using the guidelines in Table 1.
  5. Click OK.

Table 1: Fields on the Modify Blocklist Page

Field

Description

Email List

Email Sender

The allowed email senders are listed here.

To add more email senders to the blocklist, click the + sign.

Enter the full address in the format name@domain.com or wildcard the name to permit all emails from a specific domain. For example, *@domain.com.

Malware List

IP and URL

Enter an IP address or a URL.

  • IP—Enter an IPV4 address in standard four octet format. CIDR notation and IP address ranges are also accepted. Any of the following formats are valid: 1.2.3.4, 1.2.3.4/30, or 1.2.3.4-1.2.3.6.

  • URL—Enter the URL using the following format: juniper.net. Wildcards and protocols are not valid entries. The system automatically adds a wildcard to the beginning and end of URLs. Therefore juniper.net also matches a.juniper.net, a.b.juniper.net, and a.juniper.net/abc. If you explicitly enter a.juniper.net, it matches b.a.juniper.net, but not c.juniper.net. You can enter a specific path. If you enter juniper.net/abc, it matches x.juniper.net/abc, but not x.juniper.net/123.

To edit an existing blocklist entry, select the blocklist that you want to edit and click the pencil icon.

Juniper ATP Cloud periodically polls for new and updated content and automatically downloads it to your SRX Series device. There is no need to manually push your blocklist files.