# Traffic Lockdown

## Public Preview Announcement

This feature is currently in public preview. Please refer to the [noted limitations](#public-preview-notes-and-limitations) within this documentation.

## Overview

**Traffic Lockdown** is a network-level containment feature that enables Vectra to automatically add compromised host IP addresses to an external blocklist that your firewalls can subscribe to. When a host is added to Traffic Lockdown (manually or automatically), its IP address is published to a plain-text threat feed that integrated firewall devices poll and use to block traffic from that host.

This provides a multi-layered containment strategy alongside Host Lockdown and Account Lockdown, allowing you to isolate threats at the network.

### How It Works

1. A host meets lockdown criteria (manual selection or automatic threshold)
2. Vectra adds the host's IP address to the managed blocklist
3. Subscribed firewalls poll the blocklist URL at their configured interval
4. Firewalls retrieve updated IP list and enforce blocking rules
5. Traffic from the locked-down host is blocked at the network perimeter

***

## Configuration

### Prerequisites

* Vectra platform with Traffic Lockdown feature enabled
* Firewall(s) that support external threat feed/blocklist consumption
* Network connectivity between firewall(s) and Vectra appliance
* IP addresses of firewalls that will retrieve the blocklist

### Step 1: Enable Traffic Lockdown

1. Navigate to **Configuration > Response - Traffic Lockdown**
2. Toggle **On** the "Traffic Lockdown of hosts via your firewall" switch

### Step 2: Configure Authorized Firewall IPs

The **Authorized Firewall IPs** field controls which IP addresses are permitted to communicate with the Vectra appliance to retrieve the Traffic Lockdown feed. This provides an additional layer of access control to ensure only trusted firewall infrastructure can access the blocklist.

**Configuration Options:**

**Option 1: Specific Firewall IPs (Recommended for most environments)**

* Enter the IP addresses or CIDR ranges of your specific firewalls
* Provides tightest security by explicitly allowlisting known firewall management IPs
* **Format**: One entry per line
* **CIDR supported**: Yes (e.g., `10.0.0.0/24`)
* **Maximum entries**: 50

**Example:**

```
192.168.1.10
10.50.0.0/24
172.16.5.100
```

**Option 2: Allow All Sources (`0.0.0.0/0`)**

Use `0.0.0.0/0` when:

* You have an extensive number of firewalls across multiple sites/clouds
* Your environment uses internal firewalls or network segmentation to control communications between devices and the Vectra appliance
* You manage access control through other means (e.g., VPN, jump hosts, bastion servers)
* Firewall IPs are dynamic or frequently change

**Example:**

```
0.0.0.0/0
```

**Important:** When using `0.0.0.0/0`, ensure your Vectra appliance is protected by other network security controls, as any IP address will be able to retrieve the blocklist URL. The blocklist itself only contains IP addresses and does not expose sensitive configuration data.

### Step 3: Note the Blocklist URL

Copy the **Vectra Managed Plain Text Source IP Block List URL** displayed in the configuration:

```
https://<vectra-ip>/firewall_mgmt/source_ips
```

You'll need this URL when configuring your firewall's external connector or threat feed subscription.

### Step 4: Configure Automatic Lockdown (Optional)

If you want Vectra to automatically lock down hosts that meet certain risk criteria:

1. Toggle **On** the "Enable Automatic Traffic Lockdown" switch
2. Set **Automatically disable hosts for**: Choose duration from dropdown
   * 1 hour
   * 2 hours
   * 4 hours
   * 8 hours
   * 12 hours
   * 24 hours
3. Configure **Urgency Score Threshold for Auto Lockdown**:
   * Use slider to set minimum urgency score (10-100)
   * Hosts must meet or exceed this threshold
4. Configure **Importance Level**:
   * Use slider to set minimum importance level (Low, Medium, High)
   * Hosts must meet or exceed this level

**How Automatic Lockdown Works:**

* After saving this configuration, any host that exceeds **all** configured thresholds will be automatically added to Traffic Lockdown for the selected duration
* Hosts can be manually re-enabled at any time from the host details page
* After the configured duration expires, the host is automatically removed from lockdown

### Step 5: Save Configuration

Click **Save** to apply your Traffic Lockdown settings.

### SIEM Configuration (QUX only, with RUX no action is required)

If storing all data in a SIEM then update the syslog output configuration to send Traffic Lockdown logs. This is configured under Settings - Notifications - Syslog

Edit the destinations you wish to receive these logs and ensure Traffic Lockdown log type is selected.

![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-a08a17f321c1f74e6454660e980bbd94c97407cd%2Fcf93b04c0533e7b5eb4eacdc34c1b3ccdd7791433e3ead1ab9828daa0d7bbb9e.jpg?alt=media)

***

## Manual vs Automatic Traffic Lockdown

### Manual Lockdown

**When to use:** For immediate containment of specific hosts during active investigations

**How to enable:**

1. Navigate to the host details page for the target host
2. Click the **Lock Host** button within the Traffic Lockdown section
3. Specify the duration for how long the address will exist in the block list

**Characteristics:**

* Immediate effect (when the firewall completes its polling cycle)
* Remains in lockdown until selected duration expires or is manually removed by using the Unlock Host button
* Best for confirmed threats or ongoing investigations

### Automatic Lockdown

**When to use:** For automated response to high-risk hosts

**How it works:**

* Vectra continuously monitors host urgency scores and importance levels
* When a host exceeds **all** configured thresholds (Urgency **AND** Importance), it's automatically added to lockdown
* Host is automatically removed after the configured duration expires
* Can be manually removed at any time before expiration by using the Unlock Host button

**Characteristics:**

* Threshold-based triggering
* Time-limited containment
* Reduces manual intervention for high-volume scenarios
* Auto-expires to prevent indefinite blocking of remediated hosts

***

## Public Preview Notes and Limitations

**This feature is currently in Public Preview.** The following capabilities are not yet available but are slated to be available in the production release:

### Not Available in Preview

* ❌ **API status check** to programmatically query Traffic Lockdown status

***

## General Limitations

The following capabilities are not available in the initial release but will be added in a future release:

### Authentication

* ❌ **HTTP Basic Authentication is not supported** for firewall access to the blocklist URL
* Access control is enforced via IP address allowlisting only (Authorized Firewall IPs)

### Testing & Validation

* ❌ **Test button** to add a non-user impacting address to the block list to validate communication with the firewall
* ❌ **Audit output** to view the status of the last five attempts to access the threat feed

### IP Address Format Requirements

The blocklist feed supports:

* ✅ **Single IP addresses** in dotted decimal notation (e.g., `192.168.1.100`)
* ✅ **One IP address per line**
* ✅ **Fully qualified IPv4 addresses** (all four octets required)

The blocklist feed does **NOT** support:

* ❌ **CIDR notation** in the feed output (e.g., `10.0.0.0/24`)
* ❌ **IP ranges** (e.g., `192.168.1.1-192.168.1.254`)
* ❌ **Hostnames or FQDNs**

**Note:** While CIDR notation is supported for the **Authorized Firewall IPs** configuration field (to authorize multiple firewalls), the blocklist feed itself only contains individual IP addresses.

### Compatibility

The plain-text blocklist format is compatible with:

* Palo Alto Networks External Dynamic Lists (EDL)
* Fortinet External IP Address objects
* Juniper Dynamic Address IP Blocklists
* Any firewall vendor supporting text-based external IP lists for source address blocking

***

## Firewall Configuration Examples

*This section includes configuration examples for some common firewalls. This should be used for guidance only. Always refer to your firewall documentation corresponding to the firewall version in use.*

### Fortinet

*Fortinet employs an IP Address External Feed to support this capability.*

IP Address External Feed\
<https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/891236/ip-address-external-feed>

**User Interface:**

1\. Go to *Security Fabric → External Connectors* and click **Create New**.\
2\. In the **External Feeds** section, click **IP Address***.*\
3\. Set the **Name** to `_Vectra_SourceIP_Blocklist_`*.*\
4\. Set the **Update method** to **External Feed***.*\
5\. Set the **URL of external resource** to the URL provided in Vectra configuration.\
6\. Configure the remaining settings as required, then click **OK***.*\
7\. **Edit** the connector, then click **View Entries** to view the IP addresses in the feed.

**Command Line:**

```
config system external-resource
edit "_Vectra_SourceIP_Blocklist_"
set type address
set resource "https://<vectra-ip>/firewall_mgmt/source_ips"
set server-identity-check {none | basic | full}
next
end
```

Apply this feed as a source in a policy to restrict connectivity as appropriate. In most cases, this would be a policy near the top denying this source group to communicate with Internet thus preventing a potentially compromised host from communicating externally. This can also be used in IN-to-IN policies where appropriate.

`dyn-add-session-check` is a FortiGate feature that enables the firewall to check existing sessions against dynamically updated threat feeds (External Connectors/Threat Feeds) and block them when new IPs are added.

When enabled, `dyn-add-session-check` causes FortiGate to:

* Check **existing active sessions** against newly added IPs in External Connectors
* Automatically **block/drop** existing sessions when the source or destination IP matches a newly blocked entry
* Apply the block action defined in your firewall policy (deny, reset, etc.)

Without this setting, FortiGate only blocks **new** connection attempts while existing sessions continue unaffected.

This is configured at the **firewall policy level**, not globally:

```
config firewall policy
    edit <policy-id>
        set dyn-addr-session-check enable
    next
end
```

### Palo Alto NGFW

*Palo Alto employs an External Dynamic List (EDL) to support this capability.*

External Dynamic List\
<https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list>

<https://docs.paloaltonetworks.com/ngfw/help/12-1/objects/objects-external-dynamic-lists>

**User Interface:**

1. Log into the Palo Alto firewall web interface
2. Navigate to *Objects → External Dynamic Lists*
3. Click **Add** to create a new list
4. Configure the EDL:
   * Name: Give it a descriptive name (e.g., **Threat-Feed-BlockList**)
   * Type: Select **IP List**
   * Description: Optional but recommended
   * Source: Enter your URL (`https://<vectra-ip>/firewall_mgmt/source_ips`)
   * Check for updates: Choose frequency
     * **Five Minute** (most frequent)
     * **Hourly** (recommended for most feeds)
     * **Daily**
     * **Weekly**
     * **Monthly**
     * Certificate Profile: (Optional) If HTTPS URL requires certificate validation
     * Exception List: (Optional) IPs to exclude from the block list
5. Click **OK**
6. Commit changes

**Command Line:**

```
admin@PA-VM> configure
admin@PA-VM# set external-list Vectra_SourceIP_Block_List type ip url "https://<vectra-ip>/firewall_mgmt/source_ips"
admin@PA-VM# set external-list Vectra_SourceIP_Block_List recurring custom-time interval 5
admin@PA-VM# set external-list Vectra_SourceIP_Block_List type ip recurring five-minute
admin@PA-VM# commit
```

{% hint style="warning" %}
**Important Notes**

* The EDL MUST be referenced by a policy or else it won't populate.
* If the certificate on Vectra is self-signed then you may need to update the Palo Alto configuration to not require server verification. This can be set using the cli:

```
configure
set deviceconfig system server-verification no
commit
exit
```

{% endhint %}

***

## Troubleshooting

### Firewall Cannot Access Blocklist URL

**Symptoms:** Firewall shows connection errors or timeout when attempting to retrieve the blocklist

**Resolution:**

1. Verify firewall IP is listed in **Authorized Firewall IPs** (or `0.0.0.0/0` is configured)
2. Confirm network connectivity between firewall and Vectra appliance
3. Check firewall logs for specific error messages
4. Test connectivity: `curl https://<vectra-ip>/firewall_mgmt/source_ips` from firewall

### Host IP Not Appearing in Blocklist

**Symptoms:** Host added to Traffic Lockdown but IP not in feed

**Resolution:**

1. It can take up to five minutes for the host IP to appear in the block list
2. Verify host has a valid IP address assigned in Vectra
3. Check that IP is in supported format (single IPv4 address)
4. Allow time for firewall polling cycle (feeds are typically polled every 5-60 minutes)
5. Manually refresh/test the feed URL to confirm IP is present

### Automatic Lockdown Not Triggering

**Symptoms:** High-risk hosts not being automatically added to lockdown

**Resolution:**

1. Verify **Enable Automatic Traffic Lockdown** toggle is **On**
2. Confirm host urgency score meets or exceeds threshold
3. Confirm host importance level meets or exceeds threshold
4. Remember: **Both** urgency **and** importance thresholds must be exceeded
5. It can take up to five minutes for the host IP to appear in the block list

***

## Related Features

* **Host Lockdown**: EDR-based endpoint isolation
* **Account Lockdown**: Identity-based account disablement

***