Configuring blocklists and managing blocking

Overview

Blumira's blocking capabilities reduce the work of defending your network against malicious activity. See About Blumira's dynamic blocklists for details about how we combine proactive threat intelligence and community-supplied data with your organization's blocking data for a strong defense.

Before you begin

Before enabling firewall blocklists in Blumira, ensure that you have integrated Blumira with your next-generation firewall. These firewall devices can use Blumira's blocklists as external feeds:

• Palo Alto Next-Gen Firewall
• Fortinet Fortigate Firewall
• Cisco ASA Firewall (with Firepower Defense Module)
• Cisco FTD
• Check Point Next Generation Firewall
• Sonicwall (Running SONICOS 7+)

Reference: See Firewall Integrations for integration instructions.

Configuring blocklists

To enable Blumira's blocklisting features:

1. In the Blumira app, navigate to Settings > Blocklists.
2. Click Configure.
3. In the New Block Configuration window, under Blocking, select Enabled.
4. (Optional) In the "Number of days to block" box, type the default number of days you want to block any source that is added to the blocklist.
   Tip: You can edit the number of days to block an individual block entry if you want a different expiration than this default number. 
5. (Optional) In the Community box, select Enabled to adopt the community blocking feature and automatically block any public IP address that was purposefully blocked by another Blumira customer.
6. In the Devices box, select the firewall device(s) you will use with Blumira's DBLs. 
   Important: This step does not add the files to the firewall device. You must configure the files on the device manually. See Configuring your firewall device below.
7. (Optional) In the Threat Feeds box, select the severity level you want to enable. See About Blumira's dynamic blocklists for details about each setting.
8. (Optional) If your Blumira license includes Automated Blocking, select Enabled in the Automated box to turn on workflow automation.
   
   
9. Click Save.
10. The Blocklists page displays a green dot and "Enabled" along with the URLs for your organization's Domain, IP, and URL blocklist feeds.
    Tip: The timestamp at the top of the Blocklists screen indicates when the files were last updated. Updates to the files reflect the addition of new blocks and the removal of expired blocks. Files can be blank if all blocks have expired and no new blocks were added.
    
    
    

Configuring your firewall device

Copy the blocklist file URLs and configure them in your firewall device as external feed sources. Ensure that your firewall is set to refresh the files frequently so that it uses the most current list of blocks provided by Blumira. 
References: See vendor instructions for configuring each of these supported devices:

• • Palo Alto External Block List Setup

  • Fortinet External Thread List Setup

  • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using FMC

  • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using ASDM

  • Checkpoint Custom Intelligence Feed Setup

  • Sonicwall Dynamic External Object Group Setup

Manually adding IPs or domains to your blocklists

To block or allow a specific IP address or domain:

1. On the Blocklists page, click Add IP Entry or Add Domain Entry.
2. In the New Block Entry window, type the Target IP address or domain.
   Note: Blumira's blocklists work only with individual IP addresses. Ranges are not supported.
3. (Optional) Select True in the Allowlist field to allow access. The Allowlist field defaults to False, meaning access is blocked.
4. (Optional) In Number of days to block, enter the number of days that you want to block or allow access. Setting to 0 means the IP address or domain will be blocked/allowed forever.
5. (Optional) Add a description and/or a note.
6. Click Save.
   

Reviewing block details

In Blocklists, under Blocked IPs and Blocked Domains, you can review details about sources of network traffic that have been blocked/allowed to confirm if the blocking was automated, community-sourced, or related to a finding in your account.