Page tree

Contents

Note:

If this is a new device, please allow up to 15 minutes for our systems to be updated.

Create Network Objects

Create Block Address List

  1. To create address book entries for your block lists, go to Objects->Addresses->List, make sure the Untrust zone is selected in the dropbown box and click on the New button to add a new address object.








  2. Add an entry in the Untrust Zone for each of the following domain names:
    • <block list name>..threatstop.local















Create Allowed Address Lists

  1. To create the network objects for your custom allow lists, change the zone dropdown box to "Trust" and click on the "New" button.

     

     

     

     

     

     

     

  2. Add an entry in the "Trust" zone for each of the following domain names:
    • <allow list name>..threatstop.local

Create the Address Group

  1.  Since there are multiple lists that will be used, create a Group Object that has all of your ThreatSTOP lists.
  2. Go to the Objects->Addresses->Groups page and click on N". Give the group a name, ThreatSTOP for example. Add each of the lists created in the previous step to the group.
  3. If you want to create a group for your allow lists, make sure the zone selected when creating the group is set to Trust.

Configure DNS Settings

  1. Configure the Netscreen DNS resolver to use the TreatSTOP DNS servers, and to update look-ups every 4 hours.
  2. On the Netscreen web interface goto Network->DNS->Host and set the Primary DNS Server to 192.124.129.42.

     

    Note:

    Legacy accounts will want to maintain their IP addresses of 64.87.26.147 or 24.249.204.58. To maintain functionality.

Verify DNS Lookups

  1. To verify that your DNS Resolver has resolved the block lists properly, go to the Network->DNS->Host and click the Show DNS Lookup Table link. This will show you the IP Addresses that are in the block lists.

Create Policies

Create Block Policies

To block all traffic to and from the ThreatSTOP Object Group, we need to create three policies. One to block "Untrust" to "Global" traffic, one to block "Untrust" to "Trust", and the last to block "Trust" to "Untrust" to stop outbound traffic. The policy to block traffic to the Global zone is necessary because MIPs are in the Global zone.

Create the Untrust to Global Policy

  1. Go to the Policies page, select Untrust to Global and click New
  2. Select the ThreatSTOP object as the Source Address
  3. Select ANY as the Desination Address
  4. Select ANY as the Service
  5. Select Deny as the Action
  6. Check the Logging checkbox to enable logging
  7. Check the Position at Top checkbox so the policy is at the top

Create the Untrust to Trust Policy

  1. Go to the Policies page, select Untrust to Trust and click New
  2. Select the ThreatSTOP object as the Source Address
  3. Select ANY as the Desination Address
  4. Select ANY as the Service
  5. Select Deny as the Action
  6. Check the Logging checkbox to enable logging
  7. Check the Position at Top checkbox so the policy is at the top

Create the Trust to Untrust Policy

  1. Go to the Policies page, set Trust to Untrust and click New
  2. Select ANY as the Source Address
  3. Select the ThreatSTOP object as the Destination Address
  4. Select ANY as the Service
  5. Select Deny as the Action
  6. Check the Logging checkbox to enable logging
  7. Check the Position at Top checkbox so the policy is at the top

Create Allow Policies

  1. When the allow list object group was created, it was added to the Trust zone. By default, Netscreen firewalls have a Trust Intra-zone policy as part of the default configuration. As long as the object group for allowed connections is in the Trust zone, the Trust Intra-zone policy will allow the connection.

    When all the policies are created, the policy screen will similar to the example to the right.

Sending Your Logs

Netscreen firewalls can periodically email logs that report any connection to a policy that has logging enabled. ThreatSTOP can take that log, parse it, and produce a report that you can use to view the connections that were blocked by ThreatSTOP. To setup the Netscreen to email the log to ThreatSTOP:Go to the Configuration->Report Settings->Email page

  1. Check the boxes for Enable E-mail Notification for Alarms and Include Traffic Log
  2. Enter the address or name of a SMTP server the Netscreen can use to send email in the SMTP Server Name field.
  3. In one of the E-Mail Address fields, enter <Device IP>@threatstop.com.
  4. Click the Save button to save the changes

That's all it takes. Your network is now protected with an updated list every four hours.
We hope you find our work useful, and look forward to your feedback.

Restore to Previous State

If you decide to return to your pre-ThreatSTOP configuration, you will need to perform the following actions to disable and remove ThreatSTOP from your system:

  1. Remove the Untrust to Global ThreatSTOP policy.
  2. Remove the Trust to Untrust ThreatSTOP policy.
  3. Remove the Untrust to Trust ThreatSTOP policy.

Limitations

  • Netscreen firewalls can only do UDP DNS queries. When the Netscreen queries our DNS servers to get your block lists, it will only use the first 29 IP Addresses in the answer.
  • You must set the Primary DNS Server for the Netscreen to one of our DNS servers. If you are running your own DNS server, you can set it up to forward queries for the "threatstop.local" domain to our DNS servers. Please click here for details on how to configure DNS forwarding.