Allowlist and Blocklist Overview
An allowlist contains known trusted IP addresses, Hashes, Email addresses, and URLs. Content downloaded from locations on the allowlist does not have to be inspected for malware. A blocklist contains known untrusted IP addresses and URLs. Access to locations on the blocklist is blocked, and therefore no content can be downloaded from those sites.
Benefits of Allowlists and Blocklists
-
Allowlist allows users to download files from sources that are known to be safe. Allowlist can be added to in order to decrease false positives.
-
Blocklists prevent users from downloading files from sources that are known to be harmful or suspicious.
The Custom allowlists or custom blocklists allow you to add items manually. Both are configured on the Juniper ATP Cloud cloud server. The priority order is as follows:
Custom allowlist
Custom blocklist
If a location is in multiple lists, the first match wins.
Allowlists supported types are listed in Table 1.
|
Type |
Information |
|---|---|
|
Anti-malware |
IPaddress, URL, file hash, and e-mail sender |
|
SecIntel |
C&C IP address and domain |
|
ETI |
IP address and hostname |
|
DNS |
Domains |
|
Reverse Shell |
Destination IP addresses and domains |
Domain refers to a fully qualified domain name (FQDN).
Blocklists supported types are listed in Table 2.
|
Type |
Information |
|---|---|
|
Anti-malware |
IPaddress, URL, file hash, and e-mail sender |
|
SecIntel |
C&C IP address and domain |
-
For IP and URL, The Web UI performs basic syntax checks to ensure your entries are valid.
-
The cloud feed URL for allowlists and blocklists is set up automatically for you when you run the op script to configure your SRX Series Firewall. See Download and Run the Juniper ATP Cloud Script.
-
A hash is a unique signature for a file generated by an algorithm. You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running file containing up to 15,000 file hashes. For upload details, see Create Allowlists and Blocklists. Note that Hash lists are slightly different than other list types in that they operate on the cloud side rather than the SRX Series Firewall side. This means the web portal is able to display hits on hash items.
The SRX Series Firewall makes requests approximately every two hours for new and updated feed content. If there is nothing new, no new updates are downloaded.
Use the show security dynamic-address instance advanced-anti-malware CLI
command to view the IP-based allowlists and blocklists on your SRX Series Firewall.
There is no CLI command to show the domain-based or URL-based allowlists and blocklists
at this time.
Example show security dynamic-address instance advanced-anti-malware
user@host>show security dynamic-address instance advanced-anti-malware No. IP-start IP-end Feed Address 1 x.x.x.0 x.x.x.10 custom_whitelist ID-80000400 2 x.x.0.0 x.x.0.10 custom_blacklist ID-80000800 Instance advanced-anti-malware Total number of matching entries: 2
If you do not see your updates, wait a few minutes and try the command again. You might be outside the Juniper ATP Cloud polling period.
Use the show services security-intelligence category summary CLI command
to display summary for the specified SecIntel category.
Example show services security-intelligence category summary
user@host> show services security-intelligence category summary
...........
Category name :Blacklist
Status :Enable
Description :Blacklist data
Update interval :3600s
TTL :3456000s
Feed name :blacklist_domain
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20211013.4
Objects number:0
Create time :2021-10-13 16:50:44 UTC
Update time :2024-12-05 17:08:29 UTC
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
Feed name :blacklist_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :N/A
Objects number:0
Create time :2021-10-13 16:51:18 UTC
Update time :2024-12-05 17:08:29 UTC
Update status :N/A
Expired :Yes
Status :Active
Options :N/A
............
Category name :Whitelist
Status :Enable
Description :Whitelist data
Update interval :1800s
TTL :3456000s
Feed name :whitelist_ip
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :N/A
Objects number:0
Create time :2023-03-20 23:32:59 UTC
Update time :2024-12-05 17:10:17 UTC
Update status :N/A
Expired :Yes
Status :Active
Options :N/AUse the show security dynamic-address instance default CLI command to
display the total number of default matching entries.
Example show security dynamic-address instance default
root@SRX-30-GW> show security dynamic-address instance default No. IP-start IP-end Feed Address CountryCode 1 10.0.90.165 10.0.90.165 CC/2 ID-fffc0821 -- 2 10.0.128.88 10.0.128.88 CC/2 ID-fffc0821 -- 3 10.0.128.112 10.0.128.112 CC/2 ID-fffc0821 -- 4 10.0.128.209 10.0.128.209 CC/2 ID-fffc0821 -- 5 10.0.131.69 10.0.131.69 CC/2 ID-fffc0821 -- 6 10.0.132.55 10.0.132.55 CC/2 ID-fffc0821 -- ...........
Use the show security dynamic-address category-name Blacklist CLI
command to view the list of locations such as IP addresses and URLs that you do not
trust.
Example show security dynamic-address category-name Blacklist
root@SRX-30-GW> show security dynamic-address category-name Blacklist No. IP-start IP-end Feed Address CountryCode 1 10.1.1.1 10.1.1.1 Blacklist/2 ID-80004420 -- 2 10.2.2.100 10.2.2.100 Blacklist/2 ID-80004420 -- Instance default Total number of matching entries: 2
Use the show security dynamic-address category-name Whitelist CLI
command to view the list of locations such as IP addresses and URLs that you trust.
Example show security dynamic-address category-name Whitelist
root@SRX-30-GW> show security dynamic-address category-name Whitelist No. IP-start IP-end Feed Address CountryCode 1 10.10.10.10 10.10.10.11 Whitelist/1 ID-80004010 -- Instance default Total number of matching entries: 1