An allowlist contains known trusted IP addresses, Hashes, Emailaddresses, and URLs. Content downloaded from locations on the allowlistdoes not have to be inspected for malware. A blocklist contains knownuntrusted IP addresses and URLs. Access to locations on the blocklistis blocked, and therefore no content can be downloaded from thosesites.
Benefits of Allowlists and Blocklists
Allowlist allows users to download files from sourcesthat are known to be safe. Allowlist can be added to in order to decreasefalse positives.
Blocklists prevent users from downloading files from sourcesthat are known to be harmful or suspicious.
The Custom allowlists or custom blocklists allow you to additems manually. Both are configured on the Juniper ATP Cloud cloudserver. The priority order is as follows:
Custom allowlist
See AlsoAllowlisting vs. Whitelisting: Why the Industry is Retiring the Term “Whitelisting” • The Shelf Full-Service Influencer MarketingBlock List, Deny List - CyberHootAllowlisting vs. blocklisting: Benefits and challenges | TechTargetAllowlisting vs Blocklisting | Difference between allowlist & blocklistCustom blocklist
If a location is in multiple lists, the first match wins.
Allowlists support the following types:
- Anti-malware—IPaddress, URL, file hash, and e-mail sender
- SecIntel—C&C
-
ETI
-
DNS
-
Reverse Shell - destination IP addresses and domains
Blocklists support the following types:
- Anti-malware—IPaddress, URL, file hash, and e-mail sender
- SecIntel—C&C
Note:
For IP and URL, The Web UI performs basic syntax checksto ensure your entries are valid.
The cloud feed URL for allowlists and blocklists is set up automatically for you when you run the op script to configure your SRX Series Firewall. See Download and Run the Juniper ATP Cloud Script.
A hash is a unique signature for a file generated by an algorithm. You can add custom allowlist and blocklist hashes for filtering, but they must be listed in a text file with each entry on a single line. You can only have one running file containing up to 15,000 file hashes. For upload details see Create Allowlists and Blocklists. Note that Hash lists are slightly different than other list types in that they operate on the cloud side rather than the SRX Series Firewall side. This means the web portal is able to display hits on hash items.
The SRX Series Firewall makes requests approximately every two hours for new and updated feed content. If there is nothing new, no new updates are downloaded.
Use the show security dynamic-address instance advanced-anti-malware
CLI command to view the IP-based allowlists and blocklists on your SRX Series Firewall. There is no CLI command to show the domain-based or URL-based allowlists and blocklists at this time.
Example show security dynamic-address instance advanced-anti-malware
user@host>show security dynamic-address instance advanced-anti-malwareNo. IP-start IP-end Feed Address1 x.x.x.0 x.x.x.10 custom_whitelist ID-800004002 x.x.0.0 x.x.0.10 custom_blacklist ID-80000800Instance advanced-anti-malware Total number of matching entries: 2
If you do not see your updates, wait a few minutes and try thecommand again. You might be outside the Juniper ATP Cloud pollingperiod.
Once your allowlists or blocklists are created, create an advancedanti-malware policy to log (or don’t log) when attempting todownload a file from a site listed in the blocklist or allowlist files.For example, the following creates a policy named aawmpolicy1
and creates log entries.
set services advanced-anti-malware policy aamwpolicy1 blacklist-notificationlogset services advanced-anti-malware policy aamwpolicy1whitelist-notification log