Skip to main content
Versa Networks

Configure Custom IP-Filtering Profiles

  1. Last updated
  2. Save as PDF

 Versa-logo-release-icon.pngFor supported software information, click here.

Traffic passing through the network may have IP addresses that are associated with a bad reputation and that may cause security risk to your network. To block these IP addresses based on IP address reputation and IP address metadata such as geolocation, you can configure IP address–filtering profiles and then associate them with security policy. You associate IP-filtering profiles with devices that are connected to a Secure Web Gateway (SWG) and that need to send traffic to the internet.

Versa Operating SystemTM (VOSTM) devices provide predefined IP reputations that you can use to create IP address filtering profiles.

You can filter and control traffic based on IP address in the following ways:

  • Security access policy enforcement based on address objects with fully qualified domain names (FQDNs)—You can define address objects based on the FQDN by specifying source and destination IP address objects in the match criteria in a security policy rule. The VOS device queries the DNS server for the domain names and caches the resolved IP addresses. When the VOS device processes traffic, the IP address matching is done using the cached resolved IP addresses. This type of filtering minimizes latency associated with real-time DNS lookups, thus improving performance.
  • Security access policy enforcement based on address objects with dynamic addresses—You can define an address object based on dynamic addresses by specifying a dynamic source and destination IP address object in the match criteria in a security policy rule. The VOS device does not perform any operations on its own to resolve the dynamic address objects to IP addresses. Instead, the VOS device depends on an external mechanism that pushes the most accurate IP address list that corresponds to the dynamic object to the VOS device. This external mechanism makes a REST API call to the Director node, which then pushes the updates to the VOS device. When a VOS device is processing traffic, it matches IP addresses using the translated IP addresses that are part of the dynamic address object. This type of filtering minimizes latency associated with real-time DNS lookups, thus improving performance.
  • IP filtering based on the reputation associated with an IP address and its geolocation—You can filter traffic based on IP reputation and IP address metadata (that is, geolocation). Versa Networks provides an IP reputation feed that is updated both daily and in real time. Additionally, you can populate an IP-filtering profile with IP address blacklists or whitelists by using a custom script or an automated script that invokes REST APIs on the Director node.

IP address filters are based on the following IP address attributes:

  • IP reputation—You can create an IP-filtering profile using the following predefined IP reputations:
    • BotNets
    • Denial of service
    • Phishing
    • Proxy
    • Reputation
    • Scanners
    • Spam sources
    • Web attacks
    • Windows exploits
  • Geolocation—Versa Networks provides a list of predefined regions that you can use to create IP-filtering profiles based on geolocation.

You define IP-filtering profiles to filter traffic based on the IP address attributes. Each IP-filtering profile object consists of the following:

  • Allowed IP addresses
  • Denied IP addresses
  • DNS reverse lookup configurations
  • Rules for geolocation-based actions
  • Rules for IP reputation–based actions

You can match the IP address based on the following match criteria:

  • Destination IP address
  • Source IP address
  • Source or destination IP address
  • Source and destination IP address

You can enforce the following actions when a session's IP address matches the conditions in the IP-filtering profile:

  • Allow
  • Alert
  • Drop packet
  • Drop session
  • Reset

You can also configure custom actions in an IP-filtering file.

This article describes how to configure custom IP-filtering profiles and how to view IP reputation categories.

Configure Custom IP-Filtering Profiles

  1. Go to Configure > Security Service Edge > Real-Time Protection > Profiles.

    sse-profiles.png

    The following screen displays:

    sse-RTP-profiles-swg-ip-filtering1-v3-border.png
     
  2. Select the IP Filtering tab under Filtering Profiles.

    Note: In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.
     
  3. To customize which columns display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings.

    The options are:
    • Logging
    • Deny List
    • Allow List
    • Geo IP Based Actions
    • Address Reverse Lookup
    • Reputation Based Actions Names
    • Action
       
  4. Click the add-blue-icon.PNGAdd icon to create a profile. The Create IP Filtering screen displays, and the Deny and Allow List step is selected. By default, all fields are configured. To customize IP-filtering actions, enter information for the following fields. Note that if the traffic matches both a deny list and an allow list, the action in the deny list takes precedence.

    create-ip-filtering-deny-allow-list-tab-v2-full.png
     
    Field Description

    Deny List (Group of Fields)

    		 Choose the IP addresses and groups to deny (block).
    • Action

    Select the action to enforce when the IP-filtering profile encounters an IP address that is configured in a deny-listed IP address or IP address group:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and resets the connection to the server.
    • add-icon-blue-on-white-22.png Add New
    		 To create a new security action, click add-icon-blue-on-white-22.png Add New. For information, see Configure SASE User-Defined Objects.
    • IP Address

    Select the IP addresses to which the action is enforced. Enter information for the following fields:

    • IP Subnet—Enter a list of IPv4 or IPv6 subnet values.
    • IP Range—Enter a list of IP address ranges.
    • IP Wildcard—Enter a list of IP address wildcard values.
    • Address Group
    		 Select the IP address groups to which the action is enforced. For more information about adding address group objects, see Configure SASE User-Defined Objects.
    • Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.

    Allow List (Group of Fields)

    		 Choose the IP addresses and groups to allow.
    • IP Address

    Select the IP addresses that are allowed. Enter information for the following fields:

    • IP Subnet—Enter a list of IPv4 or IPv6 subnet values.
    • IP Range—Enter a list of IP address ranges.
    • IP Wildcard—Enter a list of IP address wildcard values.
    • Address Group
    		 Select the IP address groups that are allowed. For more information about adding address group objects, see Configure SASE User-Defined Objects.
    • Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.
    Enable Logging Enable logging of the deny and allow lists.
  5. Click Next to go to the Geo IP-Based Actions screen, to add actions for geographic reputation-based IP filtering.

    create-ip-filtering-geo-ip-based-actions-tab-v2-border.png
     
  6. To customize which columns display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings. The options are:
    • Action
    • Match Type
    • Regions
       
  7. Click the add-blue-icon.PNGAdd icon, and in the Add Location popup window, enter information for the following fields.

    add-location-v2-full-border.png
     
    Field Description

    Location Name

    		 Select the name of the geographic reputation-based IP-filtering profile.
    Action

    Select the action to enforce when the IP-filtering profile encounters an IP address or IP address group that has an unacceptable geographic reputation:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and resets the connection to the server.
    Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.
    Select Country Select one or more countries to specify the geographic region.
  8. Click Add.
  9. Click Next to go to the Reputation-Based Actions screen.

    create-ip-filtering-reputation-based-ations-tab-v2-border.png
     
  10. To customize which columns display, click Select Columns and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default column display settings. The options are:
    • Action
    • Match Type
    • Reputations
       
  11. Click the add-blue-icon.PNGAdd icon, and in the Add Reputation popup window, enter information for the following fields.

    add-reputation-v2-full.png
     
    Field Description

    Reputation Name (Required)

    		 Enter a name for the IP reputation-based IP-filtering profile.
    Action

    Select the action to enforce when the IP-filtering profile encounters an IP address or IP address group that has an unacceptable reputation:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Ask—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation by clicking OK (for HTTP and HTTPS).
    • Block—Block the IP address and generate an entry in the IP-filtering log. No response page is displayed, and the user cannot continue with the website.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Justify—The browser presents an information page that allows the user to either cancel the operation by clicking Cancel or continue with the operation after entering a justification message and clicking OK (for HTTP and HTTPS).
    • Reject—Send an ICMP unreachable message back to the client and resets the connection to the server.
    • add-icon-blue-on-white-22.png Add New
    		 To create a new security action, click add-icon-blue-on-white-22.png Add New. For information, see Configure SASE User-Defined Objects.
    Specify the Match Criteria for IP Address

    Select the match criteria for the IP address:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source or destination IP address.
    • Match source and destination IP address.
    Select one or more reputations

    Select one or more reputations:

    • Botnets
    • Denial of service
    • Phishing
    • Proxy
    • Reputation
    • Scanners
    • Spam sources
    • Web attacks
    • Windows exploits
  12. Click Add.
  13. Click Next to go to the Address Reverse Lookup screen, to configure address reverse lookup, which performs a reverse lookup of an IP tuple (source IP address and destination IP address) and can then apply a URL-filtering profile on the reverse lookup domain. You can use this in conjunction with host reputation-based actions for non-HTTP or non-HTTPS traffic (for example, FTP traffic). Enter information for the following fields.

    create-ip-filtering-address-reverse-lookup-tab-v2-border.png
     
    Field Description
    Specify the address type to perform reverse lookup

    Select the address type on which to perform a reverse lookup:

    • Match only source IP address.
    • Match only destination IP address.
    • Match source and destination IP address.
    URL Filtering Profile

    Select the URL-filtering profile to associate with IP address reverse lookup. For more information, see Configure Custom URL-Filtering Profiles.
  14. Click Next to go to the Default Action screen, to select the default action to perform when there are no matching criteria.

    create-ip-filtering-default-action-tab-v2-border.png
     
    Field Description
    Specify the the default action to enforce if there are no criteria matched

    Select the default action to perform when there are no matching criteria:

    • Alert—Allow the IP address, and generate an entry in the IP-filtering log.
    • Allow—Allow the IP address, and do not generate an entry in the IP-filtering log.
    • Drop Packet—The browser waits for a response from the server and then drops the packets. It is not possible to determine whether the packet was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Drop Session—The browser waits for a response from the server and drops the session. It is not possible to determine whether the session was dropped because of a delayed response from the server or because a firewall blocked access to the website.
    • Reject—Send an ICMP unreachable message back to the client and resets the connection to the server.
    • add-icon-blue-on-white-22.png Add New
    		 To create a new security action, click add-icon-blue-on-white-22.png Add New. For information, see Configure SASE User-Defined Objects.
    Prioritize URL Reputation Click to prioritize the URL reputation over the IP reputation. Instead of blocking the traffic in IP filtering based on reputation, traffic is further evaluated with URL filtering. URL reputation correlates with an actual website. When you configure an IP-filtering profile that blocks traffic based on IP reputation, some legitimate websites may be blocked. When the URL reputation meets the threshold you select in the URL Reputation Priority field, prioritizing URL reputation overrides the IP Reputation Action.
    URL Reputation Priority

    When you use Prioritize URL Reputation, select the priority to assign to the URL reputation when traffic is evaluated:

    • High risk (Priority 4)
    • Moderate risk (Priority 3)
    • Low risk (Priority 2)
    • Suspicious (Priority 1)
    • Trustworthy (Priority 0)—Ignore a website that is labeled as one with a bad reputation, or ignore an HTTP/SSL URL reputation check that indicates a bad IP reputation.
  15. Click Next to go to the Review and Submit screen.

    create-ip-filtering-review-submit-tab-v2-full.png
     
  16. In the General section, enter a name for the IP-filtering profile and, optionally, a description and tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.
  17. For all other sections, review the information. If you need to make changes, click the pencil-icon-blue-on-white-22.png Edit icon.
  18. Click Save.

To delete an IP-filtering profile, select the profile in the IP Filtering tab and click the delete-icon-bin.PNG Delete icon.

Display IP Reputations

For Releases 12.1.1 and later.

You can look up the reputation for an IP address in the database of predefined IP reputations, and you can display information about the IP address, such as its geographic location.

To display information about IP reputations:

  1. Go to Configure > Real-Time Protection > Profiles > Filtering Profiles > IP Filtering.

    Note: In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.
    ​​​​​​​
  2. Click icon-zoom.png Lookup IP Reputation.

    sse-RTP-profiles-swg-ip-filtering-Lookup-v2-border.png
     
  3. In the Look Up IP Reputation and Geo Location popup window, enter information for the following fields.

    Lookup-IP-Reputation-and-Geo-Location-border.png
     
    Field Description
    Gateway Name Select the organization for which you want to look up the IP address reputation.
    IP Enter the IP address for which you want to look up the reputation.
  4. Click Test. The IP Reputation and Geo Location popup window displays information about the IP address, including its reputation and geographic location. For example:

    Lookup-IP-Reputation-and-Geo-Location-results-border.png
  5. Click Cancel.

Supported Software Information

Releases 11.2.1 and later support all content described in this article, except:

  • Release 12.1.1 adds support for looking up the reputation and geographic location of an IP address.
  • In Release 12.2.2, the Secure Web Gateway (SWG) tab was renamed Filtering Profiles.