When various 3rd party threat feeds are selected, they are curated to include a threat level. So all of these feeds are included by default under the CC category on the SRX. The action is based on the CC profile that's created within Secintel configuration.
Check the output from the SRX below that includes which has the TOR and Dshield included as part of CC.
SRX> show services security-intelligence category summary CC
Category name :CC
Status :Enable
Description :Command and Control data schema
Update interval :1800s
TTL :3456000s
---<SNIP>--
Feed name :cc_ip_dshield
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20231128.1
Objects number:19
Create time :2023-11-28 05:27:15 UTC
Update time :2023-11-28 16:51:58 UTC
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A
Feed name :cc_ip_tor
logical-system:root-logical-system
Vrf name :junos-default-vrf
Version :20231128.1
Objects number:1220
Create time :2023-11-28 13:35:58 UTC
Update time :2023-11-28 16:51:58 UTC
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A
---<SNIP>--
Action is determined based on the risk profile configured for the CC category under security-intelligence. In the below profile, I am blocking any threat-level above 7.
set services security-intelligence profile CC_Prof category CC
set services security-intelligence profile CC_Prof rule r1 match threat-level 10
set services security-intelligence profile CC_Prof rule r1 match threat-level 9
set services security-intelligence profile CC_Prof rule r1 match threat-level 8
set services security-intelligence profile CC_Prof rule r1 match threat-level 7
set services security-intelligence profile CC_Prof rule r1 then action block close
set services security-intelligence profile CC_Prof rule r1 then log
------------------------------
Pradeep Hattiangadi
------------------------------
Original Message:
Sent: 11-22-2023 08:30
From: A.TBC
Subject: SkyATP
Hello,
We currently have SkyATP up and running and I've discovered the "Third Party Threat Feeds" features with various updated IP lists.
We would like to activate it to block traffic coming from IPs or links present in these lists to our equipment behind our firewall.
We've already activated "set services security-intelligence profile CC-profile category CC" but we can't figure out how to activate it, or even if we need to configure anything on our firewalls to activate the features ticked off in the screenshot below. And if it's activated simply by ticking the box, how can we be sure it's working?
Regards,