Saucepan

User Tools

Site Tools

Trace:
infoblox_threat_defense:rpz_feeds

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
infoblox_threat_defense:rpz_feeds [2025/11/04 18:47] bstaffordinfoblox_threat_defense:rpz_feeds [2026/03/08 18:43] (current) – [NSDNAME and NSIP] bstafford
Line 48: Line 48:
 As of NIOS 9.0.1 in Dec 2023: ([[https://docs.infoblox.com/space/BloxOneThreatDefense/35434905/Sizing+Guidelines+for+DDI+Appliances|Documentation]]) As of NIOS 9.0.1 in Dec 2023: ([[https://docs.infoblox.com/space/BloxOneThreatDefense/35434905/Sizing+Guidelines+for+DDI+Appliances|Documentation]])
 As of NIOS 9.0.7 in Oct 2025 - new column added. Note, running Threat Feeds AND Threat Insight is not supported on TE-1415 and TE-1425. As of NIOS 9.0.7 in Oct 2025 - new column added. Note, running Threat Feeds AND Threat Insight is not supported on TE-1415 and TE-1425.
-^ Model ^ RPZ Rule Count (NIOS >= 9.0.7) ^ RPZ Rule Count ^ Notes ^ +^ Model ^ RPZ Entry Count (NIOS >= 9.0.7) ^ RPZ Rule Count ^ Notes ^ 
-| TE-815 | 6 million RPZ entries | 1.5 million RPZ entries | Base + Base IP only | +| TE-815 | 6M (TI not supported) | 1.5Ms | Base + Base IP only | 
-| TE-825 | 6 million RPZ entries2 million RPZ entries | Base + Base IP only | +| TE-825 | 6M (TI not supported) 2M | Base + Base IP only | 
-| TE-1415 | 12 million RPZ entries6 million RPZ entries | Base + Base IP only + Informational | +| TE-1415 | 12M (TI not supported) 6M | Base + Base IP only + Informational | 
-| TE-1425 | 12 million RPZ entries8 million RPZ entries | Base + Base IP only + Informational | +| TE-1425 | 12M (TI not supported) 8M | Base + Base IP only + Informational | 
-| TE-2215/TE-2225 | 40 million RPZ entries25 million RPZ entries | Everything | +| TE-2215/TE-2225 (20M with TI) 40M 25M | Everything | 
-| TE-4015/TE-4025 | 60 million RPZ entries40 million RPZ entries | Everything | +| TE-4015/TE-4025 (35M with TI) 60M 40M | Everything | 
-| **TE-926** | 16 million RPZ entries6 million RPZ entries | Base + Base IP only | +| **TE-926** | 16M (TI not supported) 6M | Base + Base IP only | 
-| **TE-1516**/**TE-1526** | 40 million RPZ entries20 million RPZ entries | Everything | +| **TE-1516**/**TE-1526** (15M with TI) 40M 20M | Everything | 
-| **TE-2326**/**TE-4126** | 60 million RPZ entries40 million RPZ entries | Everything |+| **TE-2326**/**TE-4126** (35M with TI) 60M 40M | Everything |
  
 ===== Suggested Best Practice for Cloud Based Security Policies ===== ===== Suggested Best Practice for Cloud Based Security Policies =====
Line 328: Line 328:
   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)   * **Block** - Contains entries that should be blocked with confidence given the level of protection needed (e.g. low protection for public wifi and extreme protection for the military)
   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.   * **Log** - Goes along with the aligned **Block** list but contains entries that don't have as high a confidence level.
 +
 +===== NSDNAME and NSIP =====
 +
 +Disable NSDNAME/NSIP processing to prevent major performance impacts (approx. 45%). This feature can also cause massive outage if a legitimate NS server gets onto your block list.
 +
 +RPZ NSDNAME (Name Server Domain Name)
 +  * Definition: This trigger matches the domain name of the authoritative name server (found in the NS records) during recursive resolution.
 +  * Use Case: If a malicious actor uses ns1.badactor.com to host 5,000 phishing websites, you can create an RPZ rule targeting ns1.badactor.com.rpz-nsdname. Any domain utilizing that name server will be blocked.
 +  * Key Advantage: It catches new malicious domains immediately, even if they aren't listed in a reputation feed yet, as long as they use the same compromised name server. 
 +
 +RPZ NSIP (Name Server IP Address) 
 +  * Definition: This trigger matches the actual IP address (IPv4 or IPv6) in the A/AAAA records of name servers associated with domains (glue records).
 +  * Use Case: If a malicious server changes its name (e.g., from ns1.badactor.com to ns1.sneaky.com) but keeps the same IP address (e.g., 192.0.2.55), NSDNAME might fail, but NSIP will still block it.
 +  * Functionality: It protects against attackers who try to evade NSDNAME filters by changing name server names. 
 +    
 +    
 ===== RPZ BAU Syslog on NIOS ===== ===== RPZ BAU Syslog on NIOS =====
 In NIOS, you get the following syslog on the member doing the RPZ feed In NIOS, you get the following syslog on the member doing the RPZ feed
Line 454: Line 470:
   * Major = 7   * Major = 7
   * Critical = 8   * Critical = 8
 +
 +Official SYSLOG Severity levels
 +  * 0 (Emergency): System unusable, kernel panic.
 +  * 1 (Alert): Action must be taken immediately (e.g., primary ISP loss).
 +  * 2 (Critical): Critical conditions (e.g., failing hardware, primary application failure).
 +  * 3 (Error): Error conditions, non-urgent failures.
 +  * 4 (Warning): Potential errors if no action is taken (e.g., low disk space).
 +  * 5 (Notice): Unusual but not error conditions, ongoing events.
 +  * 6 (Informational): Normal operational messages (e.g., application start/stop).
 +  * 7 (Debug): Detailed information for developers
  
 A note on Mitigation Action A note on Mitigation Action
infoblox_threat_defense/rpz_feeds.1762282020.txt.gz · Last modified: by bstafford