Viewing Blocked Malicious IPs

After the Public Subnet Filtering (PSF) gateway is launched, view or block malicious IPs by:

  • (Controller version 7.2.4820 or later) Navigating to Security > Distributed Cloud Firewall and configuring DCF rules that use ExternalGroups (Threat Feeds and Countries). This is the recommended method.

  • (prior to 7.2.4820) Navigating to Security > ThreatIQ. Aviatrix strongly recommends upgrading to the DCF method as per above.

    The PSF gateway generates Netflow data, which is fed to FlowIQ. ThreatIQ monitors FlowIQ for any matches, and then alerts or programs a block on the corresponding gateway.

Since PSF gateways are open to inbound Internet traffic, they can generate a lot of alerts even if traffic is blocked at a later step (such as a Security Group).