Configuring blocklists and managing blocking

Overview

Blumira's blocking capabilities reduce the manual work of defending your network against malicious activity. See About Blumira's dynamic blocklists for details about how we combine proactive threat intelligence and community-supplied data with your organization's blocking data for a strong defense.

By default, Blumira's automated blocking workflows and dynamic blocklists (DBLs) are disabled. If you want to leverage these features with automation, you must:

1. Integrate Blumira with your next-generation firewall so that logs can be analyzed for Findings. 
2. Automate blocking workflows and configure Blocklists (Settings > Blocklists) to maintain a broad and current list of known-bad sources without manual effort.
3. Configure your NGFW to frequently pull Blumira’s dynamic blocklists from the cloud so that it has the most current data when filtering traffic.

Before you begin

Before enabling dynamic blocklists in Blumira, you must ensure that you have integrated Blumira with your next-generation firewall. See Integrating with Firewalls.

Note: These devices can use Blumira's DBLs as external feeds:

• Palo Alto Next-Gen Firewall
• Fortinet Fortigate Firewall
• Cisco ASA Firewall (with Firepower Defense Module)
• Cisco FTD
• Check Point Next Generation Firewall

Configuring blocklists and automating blocking workflows

To enable Blumira's DBLs, threat feeds, and community blocking:

1. In the Blumira app, navigate to Settings > Blocklists.
2. Click Configure.
3. In the New Block Configuration window, select Enabled from the Blocking list.
4. In the Number of days... box, type the default number of days you want to block a source that is added to the blocklist. Leave the field empty to default to never expire.
5. (Optional) In Automated, select Enabled so that all future blocking workflows are automatically resolved to block the suspected threat and add it to your DBL.
   Important: If you do not automate blocking workflows in Blumira, you must manually resolve findings in which blocking is a possible resolution. The threat source will be added to your firewall's blocklist after you indicate that a threat is valid and should be blocked. DBLs are not updated when a workflow is closed that had an invalid threat.
   
6. (Optional) In Community, select Enabled to adopt the community blocking feature and automatically block any public IP address that was purposefully blocked by another Blumira customer.
7. In Devices, select the firewall device(s) you will use with Blumira's DBLs.
8. (Optional) In Threat Feeds, select the Severity level you want to enable. See About Blumira's dynamic blocklists for details about each setting.
9. Click Save.
10. When successfully set up, the Blocklists page will show a green dot and "Enabled" along with the URLs for your organization's Domain, IP, and URL blocklist feeds. These files are updated by Blumira every 5 minutes.
11. Copy the generated URLs and configure your firewall device to use these as external feed sources. Ensure the feeds are frequently updated in your firewall for the most accurate list of blocks.
    References: See instructions for configuring each of the supported devices:
    

    • Palo Alto External Block List Setup

    • Fortinet External Thread List Setup

    • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using FMC

    • Cisco ASA with FirePOWER Security Intelligence Feeds Setup using ASDM

    • Checkpoint Custom Intelligence Feed Setup

Manually blocking or allowing specific IPs or domains

To block or allow a specific IP address or domain:

1. On the Blocklists page, click Add IP Entry or Add Domain Entry.
2. In the New Block Entry window, type the Target IP address or domain.
   Note: Blumira's blocklists work only with individual IP addresses. Ranges are not supported.
3. (Optional) Select True in the Allowlist field to allow access. The Allowlist field defaults to False, meaning access is blocked.
4. (Optional) In Number of days to block, enter the number of days that you would like to block or allow access. Setting to 0 means the IP address or domain will be blocked/allowed forever.
5. (Optional) Add a description and/or a note.
6. Click Save.
   

Reviewing block details

In Blocklists, under Blocked IPs and Blocked Domains, you can review details about sources of network traffic that have been blocked/allowed to confirm if the blocking was automated, community-sourced, or related to a finding in your account.