Blacklists

Blacklists specify CIDR blocks and/or individual IP addresses for which traffic should be monitored. These IP addresses can be source addresses or destination addresses; in either case, their presence in a blacklist indicates that traffic from or to those addresses should trigger an alert. Blacklists are used in conjunction with Blacklist type advanced security policies; the blacklists supply the relevant IP addresses, and the policy instances provide threshold definitions and action integrations.

Riverbed provides curated blacklists of well known threat sites, and pushes them to Internet-connected NetProfilers by default. (Automatic updates can be disabled, if you wish.) In addition, you can create custom blacklists by explicitly typing IP addresses, by importing addresses from a file, or by combining both methods.

The set of blacklists present on your NetProfiler can be accessed by clicking Definitions > Advanced Security > Blacklists.

Defining a New Blacklist

To define a new custom blacklist:

  1. Click Definitions > Advanced Security > Blacklists to display the Blacklists page. This page lists all existing blacklists, and enables you to create others.
  2. Click Create a New Blacklist to display the New Blacklist page.
  3. Type a descriptive name for the blacklist.
  4. (Optional) Import IP addresses from a file to include them in the new blacklist. When you import from a file, you have the option of replacing the current blacklist (the default) or merging the new blacklist with an existing blacklist. Entries in the file must be separated by commas, semicolons, tabs, or newline characters.
  5. Type CIDR blocks or individual IP addresses to include in the new blacklist.
  6. Click Create Blacklist to finish. The blacklist now is available to be assigned to a threshold for any Blacklist type security policy.

Synchronizing Blacklists

Automatic synchronization of Riverbed-curated blacklists is enabled by default. To force an immediate synchronization of your blacklist definitions and pull down the latest set provided by Riverbed:

  1. Click Definitions > Advanced Security > Blacklists to display the Blacklists page.
  2. Verify that Enable Synchronization Of Curated Blacklists From The Riverbed Remote Server is selected.
  3. Click Synchronize Now to initiate the synchronization process and pull the latest blacklists from Riverbed.
  4. Click Create Blacklist to finish. The blacklists now are available to be assigned to thresholds for any Blacklist type advanced security policy.

Note: Any changes you've made to a Riverbed-supplied blacklist will be lost when the list is synchronized. User-created blacklists are not affected by synchronization.