For Distributed Firewall, you can setup Malicious IP Feeds and download a list of known malicious IPs.

The system downloads these IPs from NTICS cloud service and creates a malicious IP group with them. You can also create custom malicious IP groups to specify IPs and IP addresses only groups that should be treated as exceptions and must not be blocked. To block access to malicious IPs, configure firewall rules containing malicious IP groups. You can also monitor the system for any exceptions and if required exclude IPs from getting blocked.

Once you activate Malicious IP Feeds, the IPs are updated at a system defined frequency.

Note: If you are the Greenfield customer, this feature is by default enabled for you with the appropriate license. If you are the Brownfield customer, you will have to perform the steps mentioned in the procedure to enable this feature.

You can also manually update the IPs by clicking Download Latest Feed on the Settings page. Later, at any time if you turn off Malicious IP Feeds and you have rules with malicious IP groups, the rules might get enforced with outdated data.

To activate Malicious IP Feeds:


  1. Navigate to Security > Distributed Firewall.
  2. Go to Settings > Malicious IP Feeds.
  3. Set the Auto Update toggle to On. The Last Updated field shows the status of the download. It also shows the date and time of the the last download.


The system downloads malicious IPs and creates a malicious IP group with the downloaded IPs.