Configure third-party threat feeds
You can configure third-party threat feeds to add threat intelligence from external threat feed sources to block threats. You can also configure log settings.
To configure third-party threat feeds, do as follows:
- Go to Active threat response > Third-party threat feeds and click Add.
- Enter a name.
- Optional: Enter a description.
-
Select an action.
- Block: Logs and blocks threats.
- Monitor: Only logs threats.
The firewall evaluates both Blocked feeds and Monitored feeds in the order shown and logs the first match in both feeds. It blocks traffic based on the first match in the blocked list.
For more information about logs and log settings, see Log settings for Active threat response.
-
Select a position.
- Top: Postions the threat feed at the top of the list.
- Bottom: Postions the threat feed at the bottom of the list.
-
Select an indicator type.
- IPv4 address: A list of IPv4 addresses IoC.
- Domain: A list of domains IoC.
- URL: A list of URLs IoC.
Important
The firewall only evaluates IoCs based on the Indicator type you specify, such as IPv4 address, even if the threat feed contains IPv4 addresses, domains, and URLs.
So, you must add a different configuration for each indicator type per threat feed.
-
Enter the external URL.
For the format of feeds associated with the URL, see Format of threat feeds.
-
Select an authorization type.
- No authentication
-
API key
- Enter the key.
- Enter the value. Supports up to 64 characters.
-
Select where to add the API key.
- Header
- Query parameters
-
Basic authentication
- Enter the username.
- Enter the password. Supports up to 64 characters.
-
Select Validate server certificate if you want to validate the server certificate.
-
Select a polling interval to synchronize the threat feed.
Note
XGS 87(w), 88(w), 107(w), and 108(w) only support 24 hours, 7 days, and 30 days polling intervals.
-
Optional: Click Test connection to test the connection.
- Click Save.