Configuring blocklists and managing blocking

Overview

Blumira's blocking capabilities reduce the manual work of defending your network against malicious activity. See About Blumira's dynamic blocklists for details about how we combine proactive threat intelligence and community-supplied data with your organization's blocking data for a strong defense.

By default, Blumira's automated blocking workflows and dynamic blocklists (DBLs) are disabled. If you want to leverage these features with automation, you must:

1. Integrate Blumira with your next-generation firewall so that logs can be analyzed for Findings. 
2. Automate blocking workflows and configure Blocklists (Settings > Blocklists) to maintain a broad and current list of known-bad sources without manual effort.
3. Configure your NGFW to frequently pull Blumira’s dynamic blocklists from the cloud so that it has the most current data when filtering traffic.

Before you begin

Before enabling dynamic blocklists in Blumira, ensure that you have integrated Blumira with your next-generation firewall. Reference: See Firewall Integrations for integration instructions.

These devices can use Blumira's dynamic blocklists as external feeds:

• Palo Alto Next-Gen Firewall
• Fortinet Fortigate Firewall
• Cisco ASA Firewall (with Firepower Defense Module)
• Cisco FTD
• Check Point Next Generation Firewall

After you complete the steps to configure DBLs in Blumira, you must configure the files on your device so that it can use the blocklists.

Configuring blocklists and automating blocking workflows

To enable Blumira's DBLs, threat feeds, and community blocking:

1. In the Blumira app, navigate to Settings > Blocklists.
2. Click Configure.
3. In the New Block Configuration window, under Blocking, select Enabled.
4. In the "Number of days to block" box, type the default number of days you want to block any source that is added to the blocklist.
   Tip: You can edit the number of days to block an individual block entry if you want a different expiration than this default number. 
5. (Optional) In the Automated box, select Enabled so that all future blocking workflows are automatically resolved to block the suspected threat and add it to your DBL.
   
   
   
   
6. (Optional) In the Community box, select Enabled to adopt the community blocking feature and automatically block any public IP address that was purposefully blocked by another Blumira customer.
7. In the Devices box, select the firewall device(s) you will use with Blumira's DBLs. 
   Important: This step does not add the files to the firewall device. You must configure the files on the device manually. See Configuring your firewall device, below.
8. (Optional) In the Threat Feeds box, select the severity level you want to enable. See About Blumira's dynamic blocklists for details about each setting.
9. Click Save.
10. The Blocklists page displays a green dot and "Enabled" along with the URLs for your organization's Domain, IP, and URL blocklist feeds.
    Tip: The timestamp at the top of the Blocklists screen indicates when the files were last updated. Updates to the files reflect the addition of new blocks and the removal of expired blocks. Files can be blank if all blocks have expired and no new blocks were added.
    
    
    

Configuring your firewall device

Copy the blocklist file URLs and configure them in your firewall device as external feed sources. Ensure that the firewall is set to refresh the files frequently so that it uses the most current list of blocks provided by Blumira. 
References: See vendor instructions for configuring each of these supported devices:

• • Palo Alto External Block List Setup

  • Fortinet External Thread List Setup

  • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using FMC

  • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using ASDM

  • Checkpoint Custom Intelligence Feed Setup

Manually blocking or allowing specific IPs or domains

To block or allow a specific IP address or domain:

1. On the Blocklists page, click Add IP Entry or Add Domain Entry.
2. In the New Block Entry window, type the Target IP address or domain.
   Note: Blumira's blocklists work only with individual IP addresses. Ranges are not supported.
3. (Optional) Select True in the Allowlist field to allow access. The Allowlist field defaults to False, meaning access is blocked.
4. (Optional) In Number of days to block, enter the number of days that you would like to block or allow access. Setting to 0 means the IP address or domain will be blocked/allowed forever.
5. (Optional) Add a description and/or a note.
6. Click Save.
   

Reviewing block details

In Blocklists, under Blocked IPs and Blocked Domains, you can review details about sources of network traffic that have been blocked/allowed to confirm if the blocking was automated, community-sourced, or related to a finding in your account.