Overview
Blumira's blocking capabilities reduce the work of defending your network against malicious activity. See About Blumira's dynamic blocklists for details about how we combine proactive threat intelligence and community-supplied data with your organization's blocking data for a strong defense.
Before you begin
Before enabling firewall blocklists in Blumira, ensure that you have integrated Blumira with your next-generation firewall. These firewall devices can use Blumira's blocklists as external feeds:
- Palo Alto Next-Gen Firewall
- Fortinet Fortigate Firewall
- Cisco ASA Firewall (with Firepower Defense Module)
- Cisco FTD
- Check Point Next Generation Firewall
- Sonicwall (Running SONICOS 7+)
Note: Depending on the configurations chosen for your dynamic blocklist, the block entries may exceed the maximum limit on some Sonicwall firewall devices. See Troubleshooting device errors for more details.
Reference: See Firewall Integrations for integration instructions.
Configuring blocklists
To enable Blumira's blocklisting features:
- In the Blumira app, navigate to Settings > Blocklists.
- Click Configure.
- In the New Block Configuration window, under Blocking, select Enabled.
- (Optional) In the "Number of days to block" box, type the default number of days you want to block any source that is added to the blocklist.
Tip: You can edit the number of days to block an individual block entry if you want a different expiration than this default number. - (Optional) In the Community box, select Enabled to adopt the community blocking feature and automatically block any public IP address that was purposefully blocked by another Blumira customer.
- In the Devices box, select the firewall device(s) you will use with Blumira's DBLs.
Important: This step does not add the files to the firewall device. You must configure the files on the device manually. See Configuring your firewall device below. - (Optional) In the Threat Feeds box, select the severity level you want to enable. See About Blumira's dynamic blocklists for details about each setting.
- (Optional) If your Blumira license includes Automated Blocking, select Enabled in the Automated box to turn on workflow automation.
- Click Save.
- The Blocklists page displays a green dot and "Enabled" along with the URLs for your organization's Domain, IP, and URL blocklist feeds.
Tip: The timestamp at the top of the Blocklists screen indicates when the files were last updated. Updates to the files reflect the addition of new blocks and the removal of expired blocks. Files can be blank if all blocks have expired and no new blocks were added.
Configuring your firewall device
Copy the blocklist file URLs and configure them in your firewall device as external feed sources. Ensure that your firewall is set to refresh the files frequently so that it uses the most current list of blocks provided by Blumira.
References: See vendor instructions for configuring each of these supported devices:
Manually adding IPs or domains to your blocklists
To block or allow a specific IP address or domain:
- On the Blocklists page, click Add IP Entry or Add Domain Entry.
- In the New Block Entry window, type the Target IP address or domain.
Note: Blumira's blocklists work only with individual IP addresses. Ranges are not supported. - (Optional) Select True in the Allowlist field to allow access. The Allowlist field defaults to False, meaning access is blocked.
- (Optional) In Number of days to block, enter the number of days that you want to block or allow access. Setting to 0 means the IP address or domain will be blocked/allowed forever.
- (Optional) Add a description and/or a note.
- Click Save.
Reviewing block details
In Blocklists, under Blocked IPs and Blocked Domains, you can review details about sources of network traffic that have been blocked/allowed to confirm if the blocking was automated, community-sourced, or related to a finding in your account.
This table is also where you can see if the block is still active. If the "Block until" field is populated, then it is still active; if it is empty then the block has expired.
Troubleshooting device errors
Some devices, specifically some Sonicwall firewall devices, are known to have storage limits that prevent them from downloading the blocklist files from Blumira. This happens when the files are very large. In most cases, the Threat Feed option is enabled in the Blumira Dynamic Blocklist configuration, and the list has 5,000 or more rows, which exceeds the device's maximum for external objects.
Verifying the object limit for Sonicwall devices
To see what a Sonicwall device's object or block entry limit is, do the following:
- Download the Tech Support Report (TSR) file from SonicWall as described here.
- Open the TSR file in a text reader.
- Search the text for Address Objects_START to locate and view the Max objects and Max groups limits.
If you determine that the error is due to exceeding the maximum limit and you do not have the option of using a different device with a larger storage allowance, we recommend disabling the Blumira Threat Feeds to continue using the other available features within Dynamic Blocklists.