This is the multi-page printable view of this section. Click here to print.
Dynamic Block List Configuration Guides
1 - Cisco Firepower DBL Configuration Guide
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.
Raise a Request
To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:
| Ticket field | Information |
|---|---|
| Title | DBL Onboarding Request for Cisco Firepower device(s) |
| Description | Add hostname and IP address (internet facing) of your Cisco Firepower devices. For example: mycfw1.acme.org, 19.16*.2*.2 If enrolling multiple devices please add each device on individual line* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
| Parameter | Note |
|---|---|
| Connection Port | TCP / 80 |
| DBL URL | NTT will provide a unique URL to you to download the DBL URL list |
Table 1: Connections requirements
To complete this integration you have to:
- Have submitted a request via the Samurai MDR web application and have been provided the necessary DBL endpoint URL/IP address.
From your Cisco Firepower Management Console (FMC):
- Create a feed that captures the DBL URLs
- Set Security Intelligence Settings for DBL URL
- Confirm Blocking
- Create a feed that captures the DBL IP list
- Set Security Intelligence Settings for DBL IP
You may also want to refer to the Cisco FMC documentation.
Create a feed that captures the DBL URLs
Login to your FMC
Click Objects – Object Management
- Click Security Intelligence – URL Lists and Feeds in the left pane.
- Click Add URL Lists and Feeds
- Enter the following information in Security Intelligence for URL List/Feed and click Save
| Parameter | Entry |
|---|---|
| Name | whatever you want, in our example we have used ABTI_for_URL |
| Feed URL | Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
| MD5 URL | MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
| Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings
Set the feed you created in Create a feed that captures the DBL URLsto Security Intelligence.
- Click Policies – Access Control
- Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
If you do not have a Policy, create one from New Policy and follow the procedure
Select Security Intelligence
- Select URLs
- Select the Feed you created in Create a feed that captures the DBL URLs(our example was ABTI_for_URL)
- Under Available Zones, select Any and click Add to Block List
- Click Save
- Click Deploy
Confirm Blocking
Verify that the test URL is blocked.
- From a browser that leverages the Cisco Firepower inspection path, access the following test URL:
- Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:
Create a feed that captures the DBL IP list
- Click Objects – Object Management
- Click Security Intelligence – Network Lists and Feeds in the left pane
Click Add Network Lists and Feeds
Enter the following information in Security Intelligence for URL List/Feed and click Save
| Parameter | Entry |
|---|---|
| Name | whatever you want, in our example we have used ABTI_for_IP |
| Feed URL | Feed URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
| MD5 URL | MD5 URL will be provided to you upon enablement of the add-on (ensure you have raised a request) Our screen captures display an example URL |
| Update Frequency | (Optional) - If you set the Update Frequency to less than 30 minutes, the MD5 URL is required |
Set Security Intelligence Settings for DBL IP
- Click Policies – Access Control**
- Select the Policy for which you want to set the Feed
(For example: Select sample-fp-policy as depicted below)
If you do not have a Policy, create one from New Policy and follow the procedure
Select Security Intelligence
- Select Networks
- Select the Feed you created in Create a feed that captures the DBL IP list (our example was ABTI_for_IP)
- Under Available Zones, select Any and click Add to Block List
- Click Save
- Click Deploy
2 - McAfee Web Gateway (Skyhigh Secure Web Gateway) DBL Configuration Guide
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
The DBL provides a maximum of 80,000 listings. This limit may be updated without notice.
Raise a Request
To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:
| Ticket field | Information |
|---|---|
| Title | DBL Onboarding Request for McAfee Gateway device(s) |
| Description | Add hostname and IP address (internet facing) of your McAfee Gateway(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2 If enrolling multiple gateways please add the information on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL’s) to continue with the configuration below.
Connection Requirements
You will need to ensure your Secure Web Gateway can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
| Parameter | Note |
|---|---|
| Connection Port | TCP / 80 |
| URL DBL | NTT will provide a unique URL to you to download the DBL URL list |
| IP DBL | NTT will provide a unique URL to you to download the DBL IP list |
Table 1: Connections requirements
From your Secure Web Gateway:
Configure the External Lists Module
Follow the steps outlined within the Skyhigh Security documentation:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest NTT_DBL |
| Data Source Type | Web Service |
| Web service’s URL | URL will be provided to you upon enablement of the add-on |
| Advanced Parameters - Maximum number of entries to fetch | 100000 |
| Advanced Parameters - Maximum size of data fetch in kb | 100000 |
Table 2: External Lists Module
Tip: To find out more information about External Lists refer to Skyhigh Security documentation About External Lists
Create a Rule
Follow the steps outlined within the Skyhigh Security documentation:
You need to configure a rule that denies access if the URL requested by the client matches the external list previously created.
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Rule Name | Whatever you want, however we suggest ‘Block URLS that match the NTT DBL’ |
| Enable Rule | Selected |
| Rule Criteria/Apply this rule | If the following criteria is matched |
| Rule Criteria Type | URL/Host criteria |
| Filter | URL |
| Selected Operator | is in list |
| Compare with | ExtLists, StringList (String, String, String) |
| Settings | Select your external list created in Configure the External Lists Module |
| Parameters Property “Exlists.String” | 1. Placeholder ${0} Data (String) |
| Action | Block |
| Settings | URL Blocked |
Table 3: Rule creation
3 - Palo Alto Networks DBL Configuration Guide
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
The DBL is sized at approximately 40,000 URLs. Should memory exhaustion occur due to multiple Profile usage, ensure to manage your device(s) to avoid such a situation by performance and log monitoring.
Raise a Request
To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:
| Ticket field | Information |
|---|---|
| Title | DBL Onboarding Request for Palo Alto Networks device(s) |
| Description | Add hostname and IP address (internet facing) of your Palo Alto Networks NGFW(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2 If enrolling multiple gateways please add each gateway on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Palo Alto Networks device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
| Parameter | Note |
|---|---|
| Connection Port | TCP / 80 |
| DBL URL | NTT will provide a unique URL to you to download the DBL URL list |
Table 1: Connections requirements
To complete this configuration you will need to:
From your Palo Alto Networks device:
- Configure an External Dynamic List (EDL)
- Configure a URL Filtering Profile
- Configure security policy rule
Configure an External Dynamic List (EDL)
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest NTT_DBL |
| Type | URL List |
| Source | DBL URL will be provided to you upon enablement of the add-on |
| Certificate Profile | None |
| Check for updates | hourly |
Table 2: EDL Configuration
Tips:
- Select your specific PAN OS version when reviewing Palo Alto Networks documentation (we have linked version 10.2)
- To find out more information about EDL’s refer to Palo Alto Networks documentation External Dynamic Lists
- Once completed, follow the Palo Alto Networks documentation linked to y’Test Source URL’ to ensure the DBL can be accessed
Configure a URL Filtering Profile
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters for the EDL created in Configure an External Dynamic List when completing the steps:
| Field Name | Parameter |
|---|---|
| Profile Name | We suggested NTT_DBL |
| Site Access | Block |
| User Credential Submission | Block |
Table 3: URL filtering profile
Configure security policy rule
Follow the steps outlined within the Palo Alto Networks documentation:
Use the following parameters in the Actions tab when completing the steps:
| Field Name | Parameter |
|---|---|
| Profile Setting Type | Profiles |
| URL Filtering Profile | we suggested NTT_DBL |
| Log at Session Start | Disabled |
| Log at Session End | Enabled |
Table 4: Security policy rule
4 - Squid DBL Configuration Guide
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
Refer to Squid Documentation as needed: http://www.squid-cache.org/
Raise a Request
To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:
| Ticket field | Information |
|---|---|
| Title | DBL Onboarding Request for Squid device(s) |
| Description | Add hostname and IP address (internet facing) details of your Squid proxy(s). For example: mysecureproxy1.acme.org, 19.16*.2*.2. If enrolling multiple gateways please add each gateway on individual lines.* |
Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.
Connection Requirements
You will need to ensure your Squid proxy can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.
| Parameter | Note |
|---|---|
| Connection Port | TCP / 80 |
| URL DBL | NTT will provide a unique URL to you to download the DBL URL list |
| IP DBL | NTT will provide a unique URL to you to download the DBL IP list |
Table 1: Connections requirements
From your Squid Proxy:
Import the DBL
- Store the DBL list retrieval script as below:
/usr/local/squidList/getSquidACL.sh
- Back up the script file:
# cp /usr/local/squidList/getSquidACL.sh /usr/local/squidList/getSquidACL.sh.org
- Open the script file using your favorite editor. In the examples we use “vi” for editing
# vi /usr/local/squidList/getSquidACL.sh
- Set the DBL URL to import URL list.
(Example)DBL_URL="http://<IP address>/dbl/block_plain.txt"
- Set the DBL URL to import IP list.
(Example)DBL_IP="http://<IP address>/dbl/block_ip_plain.txt"
- Rewrite the reboot command to any command which used in production environment.
(Example)restart =/etc/rc.d/init.d/squid restart
- Set the place to output the URL list
(Example)DBL_URL_OUTPUT="/etc/squid/block_plain.txt"
- Set the place to output the IP list
(Example)DBL_IP_OUTPUT="/etc/squid/block_ip_plain.txt"
9.Save and close ”vi”
# :wq
- Give the execute permission to the script.
# chmod 775 /usr/local/squidList/getSquidACL.sh
ACL Configuration
- Edit the “squid.conf” file
# vi /etc/squid/squid.conf
- Add ACL setting for the list that set in steps 7 and 8 of the previous section.
(Example)acl blocklist_regex url_regex“/etc/squid/block_plain.txt”acl blockip dst “/etc/squid/block_ip_plain.txt”http_access deny blocklist_regexhttp_access deny blockip
- Save and close
# :wq
Confirm configuration and auto run
- Run the DBL retrieval script manually with the following command:
# /usr/local/squidList/getSquidACL.sh
After execution, check your standard Squid logs. If you receive an error, check the status of your network because it is highly likely that the DBL destination URL is not communicating.
- If there are no errors, set the execute command on Cron. (Following setting is run every 10 minutes.)
*/10 * * * * /usr/local/squidList/getSquidACL.sh
5 - Zscaler Internet Access DBL Configuration Guide
Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
Follow the steps below and then submit an onboarding request raise a request via the Samurai MDR application.
Access Requirements
Threat data will be pushed using the Zscaler native API with standard HTTPS TCP/443 to your Zscaler cloud instance.
From Zscaler Internet Access Portal:
Once completed you will need to provide specific information to NTT via a ticket in the Samurai MDR application.
Create a dedicated user with a specific role for NTT
Follow the steps outlined in Zscaler documentation to create an admin role:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest: NTT_DBL |
| Enable Permissions for Executive Insights | disabled |
| Log Limit (Days) | 60 days |
| Dashboard Access | View Only |
| Reporting Access | Full |
| Insights Access | View Only |
| Policy Access | Full |
| Administrators Access | None |
| User Names | Obfuscated |
| Device Information | Obfuscated |
| Functional Scope | All options disabled (Advanced Settings, Data Loss Prevention, Security, SSL Policy, Virtual Service Edge Configuration, Firewall, DNAT, DNS & IPS, NSS Configuration, Partner Integration, Remote Assistance Management) |
| Access Control (Web and Mobile) | Enabled (Policy and Resource Management, Custom URL Category Management, Override Existing Categories, Tenant Profile Management) |
| Traffic Forwarding | Disabled |
| Authentication Configuration | Disabled |
Table 1: Admin role
Follow the steps outlined in Zscaler documentation to create a user and assign the role:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Login ID | Whatever you want, however we suggest: NTT_DBL |
| support@nttsh.zendesk.com | |
| Name | Whatever you want, however we suggest: NTT Dynamic Block List |
| Role | The role previous created, we suggested*: NTT_DBL* |
| Status | Enable |
| Scope | As per your organization |
| Executive Insights App Access | Disabled |
| Comments | What you want |
| Security Updates | Disabled |
| Service Updates | Disabled |
| Product Updates | Disabled |
| Password Based Login | Enable (enter password) |
Table 2: Admin user
You will need to share these credentials when raising a ticket with us.
Provide your API base URL and API key
Review the Zscaler documentation to find your Base URL and API Key:
You can also read more information about the Zscaler API at:
You will need this information when raising a ticket with us.
Create a dedicated URL category for the DBL:
Follow the Zscaler documentation:
You need to create two URL categories. Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest: NTT_Block |
| URL Super Category | User-Defined |
| Administrator Operational Scope | Any |
| Custom URLs | example.com (this entry will be removed in the first DBL list retrieval as one value is mandatory for creation) |
Table 3: Custom URL category 1
| Field Name | Parameter |
|---|---|
| Name | Whatever you want, however we suggest: NTT_Notify |
| URL Super Category | User-Defined |
| Administrator Operational Scope | Any |
| Custom URLs | example.com (this entry will be removed in the first DBL list retrieval as one value is mandatory for creation) |
Table 4: Custom URL category 2
Configure URL and Cloud App control
Follow the steps outlined in Zscaler documentation:
Use the following applicable parameters when completing the steps (set other parameters according to your specific configuration):
| Field Name | Parameter |
|---|---|
| Rule Order | 1 (Recommended) |
| Rule Name | Whatever you want, however we suggest: NTT DBL |
| URL Category | Select the previously created categories, we suggested NTT_Block & NTT_Notify |
| Protocol | DNS Over HTTPS, FTP Over HTTP, HTTP, HTTPS, HTTP Proxy, SSL, Tunnel and Tunnel SSL |
| Action | Block |
Table 5: URL filtering policy
Configure Monthly Reporting
To enable improvements of DBL we recommend that you schedule monthly reports that are automatically emailed to us.
Follow the steps in the Zscaler documentation, Refer to Copying a Standard Report:
Select the Blocked Web Traffic Overview under Standard Reports - Web Activity to copy
| Field Name | Parameter |
|---|---|
| Report Name | Anything you want, however we recommend ‘NTT_DBL_MonthlyReport’ |
| Time Frame | Previous Month |
Table 6: Copy Report
Follow the steps in Zscaler documentation to Schedule the Report:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Schedule Name | Whatever you want, however we suggest: NTT_MonthlyReport_Schedule |
| Report | Report previously created, we recommended ‘NTT_DBL_MonthlyReport’ |
| Recipients | rtmd_esc-cp@ntt.com |
| Status | Enabled |
| Frequency | Monthly |
| Time zone | Asia/Tokyo |
Table 7: Scheduled Report
Raise a Request
Now that you have completed all of the steps above you must now raise a request via the Samurai MDR application. Add the following information (created from the steps above) within your request:
| Ticket field | Information |
|---|---|
| Title | DBL Onboarding Request for Zscaler Internet Access |
| Description |
|
Submit the ticket and you will hear back from us when onboarding is complete.