Blocking IP/URLs with a TZ400
Twizz728
Newbie ✭
Hello all,
I've asked this question a couple times in different ways on this forum and each time there have been some good answers that I've run with. For this question I would just like to know what the best way to block traffic to an IP or URL would be.
My situation is this. I receive a weekly email from a vendor of collected malicious domain and IPs. I'm currently going into the content filter object and adding the address to the URL list objects section. I currently have 11,000 IPs and URLs that have been provided to me over the years and these are split up into 3 URL object lists and for each URL objects list I have to create a CFS profile object. Each URL list is full (5000 entries) to I'm continuously adding URLs and IPs to these lists and every year I have to create a new URL list and a new profile object telling it to block everything in those lists.
Is this the best way to do this or is there an easier way? I wish there was a way for me to point to one large txt file of all the URLs and IPs and just update that every week instead of have to check each week to make sure I've not went over the 5000 entry mark in the CFS URL Object list.
Any advise would be greatly appreciated.
Thanks!
Best Answer
-
CORRECT ANSWER
MitatOnge
All-Knowing Sage ✭✭✭✭
dynamic and botnet are not same. dynmaic has limits of the device capacity. create a text file in the web server and give the access firewall interface and under the botnet menu show the path of text file. and block all url and ips.
Botnet setting details:Deag Limits:DEAG AND DEAO MAXIMUMS
Maximum DEAGs:
- The maximum number of DEAGs, including both IP address and FQDN types, is 25% of the total number of address groups supported by the device.
- The maximum number of DEAGs that can be created cannot exceed the number of address groups remaining before exceeding the total number supported on the firewall.
- For example, if a device supports 1024 Address Groups and you are using only 20 Address Groups, then 256 DEAGs (25% of 1024) can be created. However, if you have already manually created 1000 Address Groups, then only 24 DEAGs can be created.
Maximum DEAOs:
- The maximum number of IP address type DEAOs is 25% of the total number of address objects supported by the device.
- The maximum number of FQDN type DEAOs is 50% of the total number of address objects supported by the device.
- The maximum number of DEAOs that can be created cannot exceed the number of address objects remaining before exceeding the total number supported on the firewall.
DEAG setting details:0
Answers
Why do you have to create a new URL list every year?
Do you have duplicates in your list or is it a clean list with ~11k records?
It's clean with 11k records. The max is 5000 records per list, so every 6 months to a year I have to create a new list.
You can use botnet filter.
Dynamic address objects doesn't support the 11k objects.
@MitatOnge quick question. Dynamic address objects vs the botnet list. I'm sure both of these options have the same end result which in my case would be to block the URL or IP that is on the list. Is there any down side to using one vs the other, other than the max count list for the Dynamic Address Objects?
Thanks!
@MitatOnge When I setup the dynamic botnet list I get an error. I'm pointing it to a txt file with around 2000 URL/IPs
can you try divide the file as url and ip ?
@MitatOnge the list that is provided to me is just a link that someone else provides. I may be able to see if there is a list of separation of URLs and IPs. I can check on that, but it sounds like Botnet filtering is the way to go.
Generally, I use local web service for url and ip lists. I pull the list from cloud to my local web server and set the firewalls botnet setting for local web server. there is no other way for this situation. you can create a script for pull the url and ip list.