Quick Links

Configuring blocklists and managing blocking

Overview

Blumira's blocking capabilities reduce the work of defending your network against malicious activity. See About Blumira's dynamic blocklists for details about how we combine proactive threat intelligence and community-supplied data with your organization's blocking data for a strong defense.

Manual and automated blocking capabilities are available depending on your account's license. Dynamic blocklists provide a continuously updated source of threats so that you do not need to curate the entire list yourself, and automated blocking adds another level of managed security.

Before you begin

Before enabling firewall blocklists in Blumira, ensure that you have integrated Blumira with your supported firewall. Reference: See Firewall Integrations for integration instructions.

The following firewall devices can be configured to use Blumira's blocklists as external feeds:

  • Palo Alto Next-Gen Firewall
  • Fortinet Fortigate Firewall
  • Cisco ASA Firewall (with Firepower Defense Module)
  • Cisco FTD
  • Check Point Next Generation Firewall
  • Sonicwall (Running SONICOS 7+)
    Note: Depending on the configurations chosen for your dynamic blocklist, the block entries may exceed the maximum limit on some Sonicwall firewall devices. See Troubleshooting device errors for more details. 
  • Sophos XGS Firewalls

Configuring blocklists

To enable Blumira's blocklist features, do the following:

  1. In Blumira, navigate to Settings > Blocklists.
  2. Click Configure.
  3. In the New Block Configuration window, under Blocking, select Enabled.
  4. (Optional) In the "Number of days to block" box, type the default number of days you want to block any source that is added to the blocklist.
  5. (Optional) In the Community box, select Enabled to adopt the community blocking feature and automatically block any public IP address that was purposefully blocked by another Blumira customer.
  6. In the Devices box, select the firewall device(s) you will use with Blumira's DBLs. 
    Note: This step does not add the files to the firewall device. You must configure the files on the device manually. See Configuring your firewall device below.
  7. (Optional) In the Threat Feeds box, select the severity level you want to enable. See About Blumira's dynamic blocklists for details about each level.
  8. If your license includes automated blocking, select Enabled in the Automated box.
    Note: This automated response feature automatically adds block entries to the firewall blocklist and resolves findings where automated blocking is an available action.

    mceclip0.png
  9. Click Save.

The Blocklists page displays a green dot and "Enabled" along with the URLs for your organization's Domain, IP, and URL blocklist feeds. The TXT files will be populated within 30 mins.

Screenshot 2023-03-06 at 2.49.55 PM.png

Note: The timestamp at the top of the Blocklists screen indicates when the files were last updated. Updates to the files reflect the addition of new blocks and the removal of expired blocks. Files can be blank if all blocks have expired and no new blocks were added.

Configuring your firewall device

Copy the blocklist file URLs and configure them in your firewall device as external feed sources. Ensure that your firewall is set to refresh the files frequently to use the most current list of blocks provided by Blumira.

Note: Blumira does not determine your firewall's refresh frequency but provides updated blocklist files every few minutes. In very rare cases, files can take up to 30 minutes to refresh in the cloud.

Reference: See vendor instructions for configuring each of these supported devices:

Manually adding IPs or domains to your blocklists

To block or allow a specific IP address or domain:

  1. On the Blocklists page, click Add IP Entry or Add Domain Entry.
  2. In the New Block Entry window, type the Target IP address or domain.
    Note: Blumira's blocklists work only with individual IP addresses. Ranges are not supported.
  3. (Optional) Select True in the Allowlist field to allow access. The Allowlist field defaults to False, meaning access is blocked.
  4. (Optional) In Number of days to block, enter the number of days that you want to block or allow access if you do not want to use your default configuration. Setting it to 0 means the IP address or domain will be blocked or allowed forever.
  5. (Optional) Add a description or a note about the entry.
  6. Click Save.
    Screen Shot 2022-04-25 at 8.46.29 AM.png

Reviewing block details

In Blocklists, under Blocked IPs and Blocked Domains, you can review the entries being blocked or allowed, along with the date when blocking or allowing will end. If the "Blocked until" column is empty, this means there is no expiration date to the entry, and it is set to "0" or forever in the configuration.

In the blocklists tables, you can also confirm which entries were community-sourced and, if automation is included in your license, whether it was added to the list via automation and which findings they are related to.

Reference: See more details about automated blocking rules in Detections that support automated blocking with Blumira's dynamic blocklists.

Troubleshooting device errors

Some devices, specifically some Sonicwall firewall devices, are known to have storage limits that prevent them from downloading the blocklist files from Blumira. This happens when the files are very large. In most cases, the Threat Feed option is enabled in the Blumira Dynamic Blocklist configuration, and the list has 5,000 or more rows, which exceeds the device's maximum for external objects.

Verifying the object limit for Sonicwall devices

To see what a Sonicwall device's object or block entry limit is, do the following:

  1. Download the Tech Support Report (TSR) file from SonicWall as described here.
  2. Open the TSR file in a text reader.
  3. Search the text for Address Objects_START to locate and view the Max objects and Max groups limits.

If you determine that the error is due to exceeding the maximum limit and you do not have the option of using a different device with a larger storage allowance, we recommend disabling the Blumira Threat Feeds to continue using the other available features within Dynamic Blocklists.