Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Allowlist and Blocklist Overview

An allowlist contains known trusted IP addresses, Hashes, Email addresses, and URLs. Content downloaded from locations on the allowlist does not have to be inspected for malware. A blocklist contains known untrusted IP addresses and URLs. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.

Benefits of Allowlists and Blocklists

  • Allowlist allows users to download files from sources that are known to be safe. Allowlist can be added to in order to decrease false positives.

  • Blocklists prevent users from downloading files from sources that are known to be harmful or suspicious.

The Custom allowlists or custom blocklists allow you to add items manually. Both are configured on the Juniper ATP Cloud cloud server. The priority order is as follows:

  1. Custom allowlist

  2. Custom blocklist

If a location is in multiple lists, the first match wins.

Allowlists support the following types:

  • Anti-malware—IPaddress, URL, file hash, and e-mail sender
  • SecIntel—C&C

  • ETI

  • DNS

  • Reverse Shell - destination IP addresses and domains

Blocklists support the following types:

  • Anti-malware—IPaddress, URL, file hash, and e-mail sender
  • SecIntel—C&C
Note:

  • For IP and URL, The Web UI performs basic syntax checks to ensure your entries are valid.

  • The cloud feed URL for allowlists and blocklists is set up automatically for you when you run the op script to configure your SRX Series Firewall. See Download and Run the Juniper ATP Cloud Script.

  • A hash is a unique signature for a file generated by an algorithm. You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running file containing up to 15,000 file hashes. For upload details see Create Allowlists and Blocklists. Note that Hash lists are slightly different than other list types in that they operate on the cloud side rather than the SRX Series Firewall side. This means the web portal is able to display hits on hash items.

The SRX Series Firewall makes requests approximately every two hours for new and updated feed content. If there is nothing new, no new updates are downloaded.

Use the show security dynamic-address instance advanced-anti-malware CLI command to view the IP-based allowlists and blocklists on your SRX Series Firewall. There is no CLI command to show the domain-based or URL-based allowlists and blocklists at this time.

Example show security dynamic-address instance advanced-anti-malware

If you do not see your updates, wait a few minutes and try the command again. You might be outside the Juniper ATP Cloud polling period.

Once your allowlists or blocklists are created, create an advanced anti-malware policy to log (or don’t log) when attempting to download a file from a site listed in the blocklist or allowlist files. For example, the following creates a policy named aawmpolicy1 and creates log entries.

set services advanced-anti-malware policy aamwpolicy1 blacklist-notification log set services advanced-anti-malware policy aamwpolicy1 whitelist-notification log

Related Documentation