Skip to main content
Versa Networks

Configure Threat Intelligence from VMS

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Threat intelligence enhances your organization's security posture by providing real-time, actionable insights into potential threats. It helps you identify, track, and mitigate cyber threats proactively.

You enable the threat intelligence microservice from Versa Messaging Service (VMS) and configure it to receive threat feeds from external sources. You can configure different threat feeds for each tenant, using criteria such as IP address, IP address combined with a port, domain name, and URL. You can configure each tenant for preferred threat feed categories and use these in access policy rules to filter traffic.

When the threat intelligence microservice receives a threat feed, it validates the data, removes any invalid entries, and stores the valid entries in a local database. If a database exists for the downloaded feed, threat intelligence compares the new feed with the existing entries in the database and adds new entries or deletes outdated ones. VMS then sends the delta threat feed to Versa Operating SystemTM (VOSTM) devices. 

To receive threat feeds, you activate threat intelligence for the VMS connector of your tenant, and then enable relevant threat intelligence feeds. 

Enable and Configure Threat Intelligence

To enable and configure threat intelligence for a tenant:

  1. In Director view, select the Administration tab in the top menu bar.
  2. Select Connectors > VMS in the left menu bar.
  3. To add a VMS connector, click + Add. To update a connector, select an existing one. The Configure VMS Connection configuration wizard displays. 
  4. Add or update the required information in the VMS Connection and VMS Cluster screens. For more information, see Configure a VMS Connector.
  5. Select step 3, Tenants and Services, in the top menu bar.

    1_director-tenants-services-3.png
  6. Select the tenant or tenants for which you want to enable threat intelligence. Click Select All to select all tenants. Selected tenants display in the Tenant Selected section. For example:

    tenant-selected-example-all.png
    Note that to clear a tenant selection for an existing VMS connector, you must first disable the VMS services on the VOS devices for that tenant. 
  7. From the Tenant Selected section, click the down arrow of the tenant for which you want to enable threat intelligence. The list of services displays, as shown below.

    services-options-threat-intel.png
  8. Click the Threat Intel toggle to enable threat intelligence, and then enter information for the following fields.

    threat-intel-fields.png
     
    Field Description
    VMS Elastic FQDN Enter the FQDN of the VMS host to which the external server connects to share threat intelligence data. 
    Threat Feed Input Format Select the format in which to share or save threat feeds. Currently, the Files option is supported.
  9. To add threat feed categories, click + Add Feed Type File, and then enter information for the following fields.

    threat-feed-type-fields.png
     
    Field Description

    Threat Feed Category

    Select the threat feed category from these options:

    • IP and Port—These threat feeds include combinations of IP addresses and specific ports, IP address range, and port range associated with malicious activity. 
    • IP—These feeds contain standalone IP addresses and IP addresses with subnet mask that have been observed to participate in malicious activities.
    • FQDNs—These feeds include domain names associated with malicious infrastructure. 
    • URL Patterns—These feeds consist of specific URL paths or patterns used for malicious activities. 

    Threat Feed Type

    		 Select the type of threat feed. For example, user-defined.

    Threat Feed Name

    		 Enter a name for the threat feed.

    Threat Feed File Format

    		 Select a file format for the feed, such as Text.

    Threat Feed Endpoint FQDN

    		 Enter the FQDN of the external threat feed server to which VMS connects. 

    Threat Feed Port

    		 Enter the port number of the external threat feed server.

    Threat Feed Endpoint Path

    		 Enter the path of the threat feed server from which VMS downloads threat feed data. 

    Threat Feed Refresh Frequency (mins)

    		 Enter the frequency, in minutes, to refresh the threat feed.
    Default: 5 minutes.

    Threat Feed Authentication Mode

    Select the authentication mode for the feed:

    • No Authentication
    • API Authentication Header
    • Password Authentication

    + Add Cert

    Click to select and upload a CA certificate to connect to the threat feed server. 

    threat-feed-certificate-upload.png
  10. Perform the remaining steps as described in Configure a VMS Connector to complete the configuration.

Use Threat Feeds in Access Policies

You associate threat feeds for the following categories with access polices, as follows:

  • IP address—Configure External Dynamic address group and associate with access policy. 
  • URL patterns—Configure Custom URL category and associate with access policy or URL filtering profile. 

Currently, categories 'FQDN' and 'IP address and port', support only Block by default.

Associate IP Address Threat Feeds with an NGFW Access Policy Rule

To associate IP address threat feeds with an NGFW access policy:

  1. Configure an address group, and then add the IP address threat feed type to that group:
    1. In Director view > Appliance view, select the Configuration tab in the top menu bar.
    2. Select Objects & Connectors > Objects > Address Groups. The main pane displays the configured address group objects.
    3. Select an existing address object or click + Add. The Add/Edit Address Group window displays.

      edit-address-groups.png
    4. For the Type field, select External Dynamic Address. The Kind field displays.
    5. For the Kind field, select one of the following:
      • Exclusive—Specific to a tenant. 
      • Shared—Shared address group configured in a parent tenant and can be shared with tenants. 
    6. From the User-defined Address Feeds field, click the add-icon-black-on-white-22.png icon, and then enter the name of IP threat feed you entered in the Threat Feed Name while configuring a VMS connector. For more information, see Step 7 in Enable and Configure Threat Intelligence above.
    7. For information about configuring other parameters, see Configure Address Group Objects
    8. Click OK.
  2. To use the same address group in other tenants, add an address group for the provider organization as shown in Step 1, and for the Kind field, select Shared. To add this address group in other tenants:
    1. In Director view > Appliance view, select the Configuration tab in the top menu bar.
    2. Select Others > Organization > Limits in the left menu bar. The main pane displays the organizations associated with the Controller node.
    3. Click an organization name in the main pane for which you want to add the address group from the provider organization. The Edit Organization Limit popup window displays.

      edit-org-limit-resources-tab.png
    4. Select the Resources tab. 
    5. Under Available Address Groups, click the add-icon-black-on-white-22.png icon. All Shared address groups of the provider organization display. Select the shared address group or groups.
    6. For information about configuring other parameters, see Configure Organization Limits.
  3. To associate an address group for IP threat feeds with an NGFW policy rule:
    1. Select the Configuration tab in the top menu bar.
    2. Select Services > Next Gen Firewall > Security > Policies in the left menu bar, and select the Rules tab.
    3. Select an existing rule or click + Add to add one. The Add/Edit Rule window displays. 

      ngfw-edit-rule-destination-address-selection.png
    4. Select the Destination tab.
    5. Under Destination Address, Click the add-icon-black-on-white-22.png icon, and then select an address group (shared or exclusive) that you added in Step 1, above.
    6. For configuring other parameters, see Configure Access Policy Rules (ACL Rules).

Associate URL Patterns Threat Feeds with an NGFW Access Policy Rule or URL Filtering Profile

  1. Configure a URL category, and then add the URL Patterns threat feed type to that category:
    1. In Director view > Appliance view, select the Configuration tab in the top menu bar.
    2. Select Objects & Connectors > Objects > Custom Objects > URL Categories in the left menu bar. 
    3. Select an existing category or click + Add. The Add/Edit URL Category window displays.

      edit-url-category-general.png
    4. In the General tab, from the Kind field, select one of the following:
      • Exclusive—Specific to a tenant. 
      • Shared—Shared URL category configured in a parent tenant and can be shared with tenants. 
    5. From the User-defined Feeds field, click the add-icon-black-on-white-22.png icon, and then enter the name of URL Pattern feed you entered in the Threat Feed Name while configuring a VMS connector. For more information, see Step 7 in Enable and Configure Threat Intelligence, above.
    6. For information about configuring other parameters, see Configure Custom URL Categories
    7. Click OK.
  2. To use the same URL category in other tenants, add the URL category for the provider organization as shown in Step 1, and from the Kind field, select Shared. To add this category in other tenants:
    1. In Director view > Appliance view, select the Configuration tab in the top menu bar.
    2. Select Others > Organization > Limits in the left menu bar. The main pane displays the organizations.
    3. Click an organization name in the main pane for which you want to add the address group from the provider organization. The Edit Organization Limit popup window displays.

      edit-org-limit-resources-tab-url-categories.png
    4. Select the Resources tab. 
    5. Under Available URL Categories, click the add-icon-black-on-white-22.png icon. All Shared URL categories of the provider organization display. Select the the required URL categories.
    6. For information about configuring other parameters, see Configure Organization Limits.
  3. To associate a URL category for URL Patterns feeds with an NGFW policy rule:
    1. Select the Configuration tab in the top menu bar.
    2. Select Services > Next Gen Firewall > Security > Policies in the left menu bar, and then select the Rules tab.
    3. Select an existing rule or click + Add to add one. The Add/Edit Rule window displays. 

      ngfw-edit-rule-applications-url-tab.png
    4. Select the Applications/URL tab.
    5. Under URL Category List, click the add-icon-black-on-white-22.png icon, and then select a URL category that you added in Step 1, above.
    6. For configuring other parameters, see Configure Access Policy Rules (ACL Rules).
  4. To associate URL Patterns threat feeds with a URL filtering Profile:
    1. In Director view > Appliance view, select the Configuration tab in the top menu bar.
    2. Select Services > Next Gen Firewall > Security > Profiles > URL Filtering in the left menu bar.
    3. Select an existing URL filtering profile or click the add-icon-black-on-white-22.png icon add to add one. The Add/Edit URL Filter window displays.

      edit-url-filter-category-based-action.png
    4. Select the Category-Based Action tab, and click the add-icon-black-on-white-22.png icon to add actions for categories. The Add Category Based Action window displays.

      add-category-based-action.png
    5. Enter a name and select the action (here, Block).
    6. Under User Defined Categories, select the URL category you added in the steps to configure a URL category (here, ORG1-URL-Feed-Exclusive-1).
    7. For configuring other parameters, see Configure a URL-Filtering Profile.
    8. Click OK. 

Enable Streaming Feeds for Threat Intelligence 

You can enable the VOS device (branch) to receive threat intelligence streaming feeds from the VMS server. To do this, you associate a messaging server profile with the threat intelligence microservice that you configured in Enable and Configure Threat Intelligence, above. For more information about VMS messaging server profiles, see Configure a Messaging Server Profile.

To enable streaming feeds for threat intelligence:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select an Appliance in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > Organization > Messaging Service > VMS Service in the left menu bar. You can enable streaming feeds for threat intelligence IP address, IP Port, FQDN, and URLs, as highlighted in the following screenshot.

    vms-service-threat-intel-feeds.png
  4. Click the edit-pencil-icon-grey.png Edit icon next to the threat intelligence category for which you want to enable streaming feeds. The Edit Threat Intel <category name> VMS Service popup window displays. For example, the screenshot below displays when you select Threat Intel IP Address. Note that the fields are the same for all the categories you select from the VMS Service screen.

    edit-threat-intel-ip-address.png
  5. In the VMS Profile field, select a VMS server profile. For more information, see Configure a Messaging Server Profile, above.
  6. Click Enabled to enable the service. 
  7. Click OK. For more information, see Enable Stream Feeds for VMS Services.

Monitor Threat Intelligence Statistics

You can monitor VMS threat intelligence statistics for threat intelligence categories such as IP address and port, IP address, FQDNs and URL patterns. For more information, see Monitor Device Services.

To monitor threat intelligence services:

  1. Select the Administration tab in the top menu bar.
    1. Select Appliances in the left menu bar.
    2. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select an organization and click Devices. 
  4. Select a device, and then click Services > VMS. The threat intelligence statistics display, as shown below.

    threat-intel-monitor.png
  5. Click View in the Current column to view current statistics for the server, such as the number of messages received, dispatched, dropped, connection status and connect time, and the last sequence number. For example:

    threat-intel-monitor-current.png
  6. Click View in the Total column to view total statistics for the server, such as the number of messages received, dispatched, dropped, and failovers detected. For example:

    threat-intel-monitor-total.png

Display Threat Intelligence Logs

  1. In Director view, select the Analytics tab from the top menu bar. The view changes to Analytics view.
  2. Select Logs > Threat Intelligence in the left menu bar.

    logs-threat-intel-menu.png
  3. Select the organization, tenant, and the period for which to display threat intelligence analytics logs. The following screen displays.

    threat-intel-analytics-logs-normal-tab.png
  4. Select the Exception tab to view exception logs for threat intelligence. In the example below, download has failed and action taken is Deny.

    threat-intel-analytics-logs-exception-tab.png

Supported Software Information 

VMS Releases 5.2.2 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.