Has anybody been successful in importing IP Watchlist(s) for pro-active blocking on known malicious IPs? I am considering using the NSP API to create FW objects, but fear I will hit a limit, as there are hundreds of IPs on the watchlist(s). I'm hoping somebody has come up with a better solution or can confirm the API is my only path.
So I can tell you from experience supporting this product that using it as a Firewall Solution is a bad idea. Because this product was not designed as a firewall you will run into limitations very quickly. If you have a list of malicious IPs to be blocked from accessing your network I would recommend doing it on your Firewall not the NSP.
Depending on what sensors you have the limitations are as follow:
As you can see the limits are not large. Keep in mind that each FW Rule will also impact scanning and other resources.
Maintaining lists of "malicious" IP addresses is a losing battle, especially through anything manual. I'd strongly recommend the use of McAfee GTI wherever possible in the environment instead, and using similar threat intelligence feeds in other products, such as your firewalls. Those lists are dynamically updated (both as known-malicious, and also reverting to known-good) much better than you can hope to do by yourself. For NSP, you're better off using the country geo-location blocking instead when it comes to the firewall policies.
Further, IP addresses as lists of IOCs are more useful for hunting, than as a general defense. There's a reason they are low on the Pyramid of Pain.
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center