Third-party threat feeds
Third-party threat feeds allow you to add threat intelligence from external threat feed sources to the firewall.
The firewall automatically blocks traffic based on the IPv4 addresses, domains, and URLs listed in the feeds.
Example third-party feeds
Third-party threat feeds can include those provided by security organizations, industry consortiums, and community-based or open-source threat intelligence sources, such as the following feeds:
-
For more information, see Firewall Blocking with GreyNoise Trends.
For the list of feeds tested with the firewall, see Frequently asked questions about Active threat response.
How to choose a feed
We recommend that you assess a threat feed's effectiveness before you add it to the firewall. This helps minimize redundancy and free up disk space.
- Review the threat feed's source, description, and frequency of updates to identify the feeds suited to your network.
- Position the feed at the top of the third-party threat feed list and monitor the feed's performance.
-
Check the logs to see if traffic matches the IoCs, that is, IP addresses, domains, or URLs, in the feed.
If traffic doesn't match the threat feed's IoCs, the feed is redundant. You can delete the threat feed to free up disk space.
The feed either doesn't meet your network requirements, or the threat feed modules the firewall analyses before third-party threat feeds, such as MDR and Sophos X-Ops, have already matched the IoCs.
Requirements
- For license requirements, see Licenses for threat feed modules.
- For additional configurations required for all threat modules, see Firewall configurations for threat feeds.
Video
The following video gives an overview of third-party threat feeds.
More resources