Traffic Lockdown
Public Preview Announcement
This feature is currently in public preview. Please refer to the noted limitations within this documentation.
Overview
Traffic Lockdown is a network-level containment feature that enables Vectra to automatically add compromised host IP addresses to an external blocklist that your firewalls can subscribe to. When a host is added to Traffic Lockdown (manually or automatically), its IP address is published to a plain-text threat feed that integrated firewall devices poll and use to block traffic from that host.
This provides a multi-layered containment strategy alongside Host Lockdown and Account Lockdown, allowing you to isolate threats at the network.
How It Works
A host meets lockdown criteria (manual selection or automatic threshold)
Vectra adds the host's IP address to the managed blocklist
Subscribed firewalls poll the blocklist URL at their configured interval
Firewalls retrieve updated IP list and enforce blocking rules
Traffic from the locked-down host is blocked at the network perimeter
Configuration
Prerequisites
Vectra platform with Traffic Lockdown feature enabled
Firewall(s) that support external threat feed/blocklist consumption
Network connectivity between firewall(s) and Vectra appliance
IP addresses of firewalls that will retrieve the blocklist
Step 1: Enable Traffic Lockdown
Navigate to Configuration > Response - Traffic Lockdown
Toggle On the "Traffic Lockdown of hosts via your firewall" switch
Step 2: Configure Authorized Firewall IPs
The Authorized Firewall IPs field controls which IP addresses are permitted to communicate with the Vectra appliance to retrieve the Traffic Lockdown feed. This provides an additional layer of access control to ensure only trusted firewall infrastructure can access the blocklist.
Configuration Options:
Option 1: Specific Firewall IPs (Recommended for most environments)
Enter the IP addresses or CIDR ranges of your specific firewalls
Provides tightest security by explicitly allowlisting known firewall management IPs
Format: One entry per line
CIDR supported: Yes (e.g.,
10.0.0.0/24)Maximum entries: 50
Example:
Option 2: Allow All Sources (0.0.0.0/0)
Use 0.0.0.0/0 when:
You have an extensive number of firewalls across multiple sites/clouds
Your environment uses internal firewalls or network segmentation to control communications between devices and the Vectra appliance
You manage access control through other means (e.g., VPN, jump hosts, bastion servers)
Firewall IPs are dynamic or frequently change
Example:
Important: When using 0.0.0.0/0, ensure your Vectra appliance is protected by other network security controls, as any IP address will be able to retrieve the blocklist URL. The blocklist itself only contains IP addresses and does not expose sensitive configuration data.
Step 3: Note the Blocklist URL
Copy the Vectra Managed Plain Text Source IP Block List URL displayed in the configuration:
You'll need this URL when configuring your firewall's external connector or threat feed subscription.
Step 4: Configure Automatic Lockdown (Optional)
If you want Vectra to automatically lock down hosts that meet certain risk criteria:
Toggle On the "Enable Automatic Traffic Lockdown" switch
Set Automatically disable hosts for: Choose duration from dropdown
1 hour
2 hours
4 hours
8 hours
12 hours
24 hours
Configure Urgency Score Threshold for Auto Lockdown:
Use slider to set minimum urgency score (10-100)
Hosts must meet or exceed this threshold
Configure Importance Level:
Use slider to set minimum importance level (Low, Medium, High)
Hosts must meet or exceed this level
How Automatic Lockdown Works:
After saving this configuration, any host that exceeds all configured thresholds will be automatically added to Traffic Lockdown for the selected duration
Hosts can be manually re-enabled at any time from the host details page
After the configured duration expires, the host is automatically removed from lockdown
Step 5: Save Configuration
Click Save to apply your Traffic Lockdown settings.
SIEM Configuration (QUX only, with RUX no action is required)
If storing all data in a SIEM then update the syslog output configuration to send Traffic Lockdown logs. This is configured under Settings - Notifications - Syslog
Edit the destinations you wish to receive these logs and ensure Traffic Lockdown log type is selected.
Manual vs Automatic Traffic Lockdown
Manual Lockdown
When to use: For immediate containment of specific hosts during active investigations
How to enable:
Navigate to the host details page for the target host
Click the Lock Host button within the Traffic Lockdown section
Specify the duration for how long the address will exist in the block list
Characteristics:
Immediate effect (when the firewall completes its polling cycle)
Remains in lockdown until selected duration expires or is manually removed by using the Unlock Host button
Best for confirmed threats or ongoing investigations
Automatic Lockdown
When to use: For automated response to high-risk hosts
How it works:
Vectra continuously monitors host urgency scores and importance levels
When a host exceeds all configured thresholds (Urgency AND Importance), it's automatically added to lockdown
Host is automatically removed after the configured duration expires
Can be manually removed at any time before expiration by using the Unlock Host button
Characteristics:
Threshold-based triggering
Time-limited containment
Reduces manual intervention for high-volume scenarios
Auto-expires to prevent indefinite blocking of remediated hosts
Public Preview Notes and Limitations
This feature is currently in Public Preview. The following capabilities are not yet available but are slated to be available in the production release:
Not Available in Preview
❌ API status check to programmatically query Traffic Lockdown status
General Limitations
The following capabilities are not available in the initial release but will be added in a future release:
Authentication
❌ HTTP Basic Authentication is not supported for firewall access to the blocklist URL
Access control is enforced via IP address allowlisting only (Authorized Firewall IPs)
Testing & Validation
❌ Test button to add a non-user impacting address to the block list to validate communication with the firewall
❌ Audit output to view the status of the last five attempts to access the threat feed
IP Address Format Requirements
The blocklist feed supports:
✅ Single IP addresses in dotted decimal notation (e.g.,
192.168.1.100)✅ One IP address per line
✅ Fully qualified IPv4 addresses (all four octets required)
The blocklist feed does NOT support:
❌ CIDR notation in the feed output (e.g.,
10.0.0.0/24)❌ IP ranges (e.g.,
192.168.1.1-192.168.1.254)❌ Hostnames or FQDNs
Note: While CIDR notation is supported for the Authorized Firewall IPs configuration field (to authorize multiple firewalls), the blocklist feed itself only contains individual IP addresses.
Compatibility
The plain-text blocklist format is compatible with:
Palo Alto Networks External Dynamic Lists (EDL)
Fortinet External IP Address objects
Juniper Dynamic Address IP Blocklists
Any firewall vendor supporting text-based external IP lists for source address blocking
Firewall Configuration Examples
This section includes configuration examples for some common firewalls. This should be used for guidance only. Always refer to your firewall documentation corresponding to the firewall version in use.
Fortinet
Fortinet employs an IP Address External Feed to support this capability.
IP Address External Feed https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/891236/ip-address-external-feed
User Interface
1. Go to _Security Fabric > External Connectors_ and click _Create New_. 2. In the External Feeds section, click IP Address_. &#xNAN;3. Set the _Name to Vectra_SourceIP_Blocklist_. &#xNAN;4. Set the _Update method to External Feed_. &#xNAN;5. Set the _URL of external resource to the URL provided in Vectra configuration. 6. Configure the remaining settings as required, then click OK_. &#xNAN;7. Edit the connector, then click _View Entries to view the IP addresses in the feed.
Command Line
config system external-resource
edit "_Vectra_SourceIP_Blocklist_"
set type address
set resource "https://<vectra-ip>/firewall_mgmt/source_ips"
set server-identity-check {none | basic | full}
next
end
Apply this feed as a source in a policy to restrict connectivity as appropriate. In most cases, this would be a policy near the top denying this source group to communicate with Internet thus preventing a potentially compromised host from communicating externally. This can also be used in IN-to-IN policies where appropriate.
dyn-add-session-check is a FortiGate feature that enables the firewall to check existing sessions against dynamically updated threat feeds (External Connectors/Threat Feeds) and block them when new IPs are added.
When enabled, dyn-add-session-check causes FortiGate to:
Check existing active sessions against newly added IPs in External Connectors
Automatically block/drop existing sessions when the source or destination IP matches a newly blocked entry
Apply the block action defined in your firewall policy (deny, reset, etc.)
Without this setting, FortiGate only blocks new connection attempts while existing sessions continue unaffected.
This is configured at the firewall policy level, not globally:
Palo Alto NGFW
Palo Alto employs an External Dynamic List (EDL) to support this capability.
External Dynamic List https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list
https://docs.paloaltonetworks.com/ngfw/help/12-1/objects/objects-external-dynamic-lists
User Interface
Log into the Palo Alto firewall web interface
Navigate to **Objects → External Dynamic Lists**
Click **Add** to create a new list
Configure the EDL: - Name: Give it a descriptive name (e.g., "Threat-Feed-BlockList") - Type: Select **IP List** - Description: Optional but recommended - Source: Enter your URL (
https://<vectra-ip>/firewall_mgmt/source_ips) - Check for updates: Choose frequency - **Five Minute** (most frequent) - **Hourly** (recommended for most feeds) - **Daily** - **Weekly** - **Monthly** - Certificate Profile: (Optional) If HTTPS URL requires certificate validation - Exception List: (Optional) IPs to exclude from the block listClick **OK**
Commit changes
Command Line
admin@PA-VM> configure
admin@PA-VM# set external-list Vectra_SourceIP_Block_List type ip url "https://<vectra-ip>/firewall_mgmt/source_ips"
admin@PA-VM# set external-list Vectra_SourceIP_Block_List recurring custom-time interval 5
admin@PA-VM# set external-list Vectra_SourceIP_Block_List type ip recurring five-minute
admin@PA-VM# commit
Important Notes
The EDL MUST be referenced by a policy or else it won't populate.
If the certificate on Vectra is self-signed then you may need to update the Palo Alto configuration to not require server verification. This can be set using the cli:
configure
set deviceconfig system server-verification no
commit
exit
Troubleshooting
Firewall Cannot Access Blocklist URL
Symptoms: Firewall shows connection errors or timeout when attempting to retrieve the blocklist
Resolution:
Verify firewall IP is listed in Authorized Firewall IPs (or
0.0.0.0/0is configured)Confirm network connectivity between firewall and Vectra appliance
Check firewall logs for specific error messages
Test connectivity:
curl https://<vectra-ip>/firewall_mgmt/source_ipsfrom firewall
Host IP Not Appearing in Blocklist
Symptoms: Host added to Traffic Lockdown but IP not in feed
Resolution:
It can take up to five minutes for the host IP to appear in the block list
Verify host has a valid IP address assigned in Vectra
Check that IP is in supported format (single IPv4 address)
Allow time for firewall polling cycle (feeds are typically polled every 5-60 minutes)
Manually refresh/test the feed URL to confirm IP is present
Automatic Lockdown Not Triggering
Symptoms: High-risk hosts not being automatically added to lockdown
Resolution:
Verify "Enable Automatic Traffic Lockdown" toggle is On
Confirm host urgency score meets or exceeds threshold
Confirm host importance level meets or exceeds threshold
Remember: Both urgency and importance thresholds must be exceeded
It can take up to five minutes for the host IP to appear in the block list
Related Features
Host Lockdown: EDR-based endpoint isolation
Account Lockdown: Identity-based account disablement
Last updated
Was this helpful?