Creating Custom Feeds
Use the Create Custom Feed page to configure the Dynamic Address, Allowlist, Blocklist, Infected Hosts, DDoS, and C&C Server custom feeds. These feeds provide relevant and timely intelligence that you can use to create enforcement policies.
Before You Begin
Know what type of feed you are configuring and have all the necessary information on hand. Local feeds are created on your local system and uploaded from there.
Note that infected hosts are hosts known to be compromised. For an infected host custom feed, enter host IP addresses manually or upload a text file with the IP addresses of infected hosts.
If you create an allowlist, blocklist, or infected hosts feed, it will override the respective Juniper ATP Cloud/JATP feed.
Note that when ATP Cloud/JATP only mode is selected as the Threat Prevention Type, the infected host and DDoS custom feeds are not available.
To create local file and remote file custom feeds:
- Select Configure>Threat Prevention> Feed Sources.
The Feed Sources page appears. You will see only custom feeds available as the threat prevention type, if you make no selection for ATP Cloud/JATP Configuration Type in the Policy Enforcer Settings page.
- Click Create and select one of the following:
Feeds with local files—Enter your data manually into the provided fields or upload from a text file on your location machine.
Feeds with remote file server—Configure communication with the remote server to fetch the data feed from it.
- Complete the configuration by using the guidelines in Table 1 or Table 2.
- Click OK.
To use a custom feed of dynamic-address type, apply it to the source or destination address in a firewall rule. In the firewall rule, you can filter addresses to show only the custom feeds.
If there is a firewall policy rule created using the dynamic address, you cannot delete the same dynamic address from the Feed Sources page. You must first delete the firewall policy rule and then , delete the dynamic address from the Feed Sources page.
When you have no ATP Cloud/JATP Configuration Type selected (No selection), ATP Cloud/JATP realms are disabled. Because site selection is usually done from the ATP Cloud/JATP realm page, you must select sites from the Create Custom Feed page when in “No selection” mode. The custom feeds are then downloaded to the devices in the chosen sites. This is the only time site selection available in the Create Custom Feed page.
Table 1: Fields on the Create Custom Feed Page, Feeds with Local Files
Field | Description |
---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following custom feeds as a threat prevention type:
|
Sites | Select the required sites from the list to associate them with the dynamic address or allowlists, blocklists, or C&C Server feeds. In the default mode (no ATP Cloud), only sites are listed because of no ATP Cloud. You can share a site across the same feed type for dynamic address, allowlist, blocklist, and C&C Server. For Infected hosts and DDoS, sites cannot be shared across the same feed type. However, you can share a site across different feed types. |
Zones/Realms | Select the required realms from the list, if you are in Cloud feeds only, ATP Cloud/JATP, or ATP Cloud/JATP with Juniper Connected Security mode. Associate these realms with dynamic address or allowlists, blocklists, and C&C Server feeds. You can share a realm across the same feed type for dynamic address, allowlist, blocklist, and CC. For Infected hosts and DDoS, realms cannot be shared across the same feed type. However, you can share a realm across different feed types. The ATP Cloud/JATP realm without any assigned sites are not listed here. Only realms with sites associated are listed here. Note: If a site is associated with a tenant, the ATP Cloud/JATP realm displays the list in the <realm-name>(Tenant:<tenant-name>) format. |
User Input Type (Available for Allowlist and Blocklist) | Select one of the following input types for Allowlist and Blocklist:
|
Custom List | Do one of the following:
|
Table 2: Fields on the Create Custom Feed Page, Feeds with Remote File Server
Field | Description |
---|---|
Name | Enter a unique string that must begin with an alphanumeric character and can include only dashes and underscores; no spaces allowed; 32-character maximum. |
Description | Enter a description for your custom feed; maximum length is 64 characters. You should make this description as useful as possible for all administrators. |
Feed Type | Select one of the following custom feeds as a threat prevention type:
|
Type of Server URL | Select one of the following:
|
Server File URL | Enter the URL for the remote file server. |
Certificate Upload (If the URL type is HTTPS) | Click Browse and select the CA certificate to upload. If you do not upload a certificate for https server URL, a warning message is shown that a certificate is not uploaded and to whether proceed further or not. Click Yes to proceed further without uploading a certificate or No to go back and upload the certificate. |
Username | Enter the credentials for the remote file server. This is not a mandatory field. You can still proceed to create a custom feed without entering the username. |
Password | Enter the credentials for the remote file server. This is a mandatory field, if you have provided the username. |
Update Interval | Select how often updates are retrieved from the remote files server: Hourly, Daily, Weekly, Monthly, Never |
Sites | Select the required sites from the list to associate them with the custom feeds. |
If you try to disenroll a site in an infected host, a warning message is shown to resolve all the current infected hosts from the respective endpoints within a site. To resolve the infected hosts, log-in to ATP Cloud UI, resolve the hosts, and then unassign sites from Policy Enforcer. Ensure that you always resolve the infected hosts before unassigning sites. Once you unassign sites, you cannot resolve the hosts.