Skip to main content

Blocklisting

Blocklisting with Defused allows you to convert real attacker telemetry into enforceable perimeter controls. This workflow uses the honeypot feeds you subscribe to-matching the technologies you run in production-to identify hostile IPs or exploit sources and push them into your security stack.

Workflow

1. Subscribe to Relevant Feeds

Choose feeds that reflect the software and appliances your organisation actually exposes.
For example:

  • If you use F5 or Fortinet appliances: subscribe to F5 Big-IP, F5 Big-IP Legacy, FortiGate, FortiWeb.
  • If you operate remote access infrastructure: subscribe to Palo Alto GlobalProtect, Ivanti Connect Secure, SonicWall SMA, Citrix NetScaler.
  • If you run enterprise web apps or middleware: subscribe to SharePoint, SAP NetWeaver, Oracle E-Business, Atlassian Jira, Adobe Experience Manager.
  • If you rely on general Windows infrastructure: subscribe to Windows WSUS, VMware vCenter, Jenkins, GoAnywhere MFT, etc.

Subscribing to feeds tied to your real attack surface ensures the blocklist reflects threats actually targeting you.

2. Track High-Severity Events

Monitor events that indicate clearly malicious intent:

  • Critical - 0-day / n-day exploitation, breaking changes, or (coming Q1) post-breach behaviour
  • Major - vulnerability exploitation attempts, RCE attempts, deserialization probes, authentication bypass tests
  • Medium - targeted enumeration, version probing, login attempts, structured reconnaissance

These event classes identify malicious infrastructure worth adding to blocklists.

3. Export Relevant Events as CSV

Use filters to narrow results by:

  • Severity (Critical / Major / Medium)
  • Specific decoys (e.g., “FortiWeb”, “Ivanti Connect Secure”)
  • Time range
  • Payload or exploit type

Once filtered, export the events as a CSV file.
Defused TF (base tier): up to 500 alerts per filtered export.

The CSV includes source IPs, timestamps, payload metadata, and severity.

4. Process & Import Into a Security Device

Convert the CSV into a list of IPs or indicators for enforcement.
Most users automate this step with scripts, SIEM connectors, or SOAR playbooks.

Example: Importing into FortiGate via an External Block List

FortiGate supports ingesting IP blocklists using its External Threat Feed feature:

  1. Extract IP addresses from the Defused CSV into a newline-separated .txt file.
  2. Upload the file to an internal HTTPS endpoint or object storage bucket (e.g., S3 public-blocklist path).
  3. In FortiGate:
    • Go to Security Fabric → External Connectors
    • Add a new Threat Feed of type IP Address
    • Point it to the hosted .txt file
  4. Create a Firewall Policy using this feed as a source address blocklist.
  5. Set an automatic refresh interval (e.g., every 5 minutes).

Note: This workflow is for illustrative purposes. FortiGate capabilities, UI locations, and configuration steps may change between releases.
Always refer to the official Fortinet documentation for the most accurate and up-to-date instructions.