Centripetal Networks devices support ThreatSTOP natively on the device and are configured using the RuleGate Manager Application (RMA). This application allows for the management and configuration of the ThreatSTOP ListAgent.
- If this is a new device and new policy, please wait about 15 minutes before attempting to apply the policy to the RuleGate firewall.
- This page only describes creating simple ThreatSTOP policies – one for inbound and one for outbound traffic – but more complex uses are possible.
Basic connectivity to the device from a management station should be set up.
Confirm that the management station can connect to the Centripetal device and log in to it use the RuleGate Manager Application. Using that login session you should confirm that the PAN device can also access ThreatSTOP. In particular verify that your device can ping ThreatSTOP's FTP service, to do this enter the following command from a command prompt on the firewall device:
It is recommended that you save the configuration prior to applying the ThreatSTOP changes.
RuleGate management and configuration is performed using the RuleGate Manager Application (RMA).
Main RuleGate Manager Application (RMA) Screen
This screen shows the currently enforced policy, as well as the policy details. It also allows you to manage the RuleGate policies and to use our Hot Rule feature.
In order to configure the RMA to use ThreatSTOP sources:
- Click on Admin
- Then click on List Agent Config
This will bring up the List Agent Configuration screen.
List Agent Configuration Screen
This screen allows you to set up the ThreatSTOP List Agent. It also allows you to see the current status of the List Agent.
ThreatSTOP List Agent Configuration Parameters:
- Rule Logging
- This defaults to "true". Be sure to leave this on in if you plan on uploading log files to ThreatSTOP.
- Account Name
- This is the account name as assigned to you by ThreatSTOP.
You should enter <ThreatSTOP account ID>.threatstop.local
This is the policy you wish to assign to the device. Once assigned the policy becomes active. This field should be populated with the exact policy name of the active policy.
You should enter <block list name>.<ThreatSTOP account ID>
The ThreatSTOP List Agent will connect to a ThreatSTOP DNS server as pointed to by the name "dns-servers.threatstop.com". By default the standard DNS port of 53 is used. In some cased ISPs will implement a transparent DNS proxy service. This will prevent the ThreatSTOP List Agent from retrieving the threat data. In order to resolve this problem, ThreatSTOP also supports port 5353. This field can be updated appropriately.
In order to save configuration changes the List Agent must be DISABLED. To save any configuration changes click Apply.
Once the List Agent is set up and has successfully downloaded the threat sources, the sources must be mapped to a RuleGate policy. This is done by entering the Mapping Screen.
List Agent Source Mapping Screen
This screen allows for the creation of a policy to be used with the ThreatSTOP List Agent. It will also allow you to import custom ALLOW or custom BLOCK rules. In most cases this is not necessary as those types of rules can be added within the ThreatSTOP web interface.
The next step would be to choose the sources that you want to be mapped to the created policy. Be sure to select both the ALLOW and BLOCK sources and then click "Save Changes" to save the mapping.
The final step would be to activate the "TS List Agent Policy". To do this you will go to the main RMA screen, select the "TS ListAgent Policy" in the policy list and then press the "Activate" button.
Once fully configured and activated the process is fully automated on the RuleGate, i.e., you should not have to configure the RuleGate List Agent again, unless you want to change the configuration in some way. Any changes made within the ThreatSTOP web interface will be reflected in the RuleGate policy. Keep in mind that the ThreatSTOP ListAgent will update once every 15 minutes. If you need to invoke an immediate update for testing purposes, you can disable and enable the ThreatSTOP ListAgent. This will force an immediate update of the data.
A guide to troubleshooting four common problems. If you are confused or if these steps do not help then please contact ThreatSTOP support.
ThreatSTOP rules do not appear to block anything
The most likely reason is that you have not correctly entered the firewall's IP address in the ThreatSTOP device definition page. You can verify whether the address the firewall uses is in our database by running the following from the command promt (SSH or console):
You should see a simple result stating the device's IP address and whether it is in the database or not. Database updates are not instantaneous but take place every 20 minutes; so, if you have recently added/modified the firewall IP details, you may wish to wait about half an hour before checking this. If there is no response at all then verify by using the ping command that the firewall can reach threatstop.com and, if not, that it can reach other places such as google.com. If you have no connectivity to ThreatSTOP but do have connectivity elsewhere please contact ThreatSTOP support for further information about the status of the ThreatSTOP infrastructure. The problem is most likely that the account and or policy name is incorrect. Double-check that the relevant settings in the instructions above.
If the name is correct then the likely issue is that you have forgotten to enable any blocklists. Go back to the policies page in your ThreatSTOP account, click edit by the appropriate entry and confirm that you have some blocklists enabled. If you are in standard mode then normally you should have at least the "Basic", and "Advanced" blocklists enabled and probably either or both of "Botnets" and "Unix Server". In expert Advanced mode you should confirm that you have some lists checked and you should contact ThreatSTOP support to understand what the lists you have enabled should be blocking.
ThreatSTOP blocks access to places it shouldn't
Although ThreatSTOP tries very hard to ensure that we have zero false positives in our standard lists, we do occasionally miss something. If you are a community user or are using ThreatSTOP in standard mode on your firewall then please report the offending domain and ip address to ThreatSTOP support. Please check in the Arista log file (/var/log/eos) that the IP address is indeed being blocked by the ThreatSTOP rules before contacting us.
No Logs Uploaded
In many cases logging issues are related to issue 1) above. If running the "validip" test described above is successful then you should verify that "log enable" is set appropriately in the current configuration (all ThreatSTOP firewall drop rules should log enable in them).