Showing results for 
Search instead for 
Did you mean: 

Import IP Watchlist(s) to NSP Sensors

Has anybody been successful in importing IP Watchlist(s) for pro-active blocking on known malicious IPs?  I am considering using the NSP API to create FW objects, but fear I will hit a limit, as there are hundreds of IPs on the watchlist(s).  I'm hoping somebody has come up with a better solution or can confirm the API is my only path.

Thanks all

2 Replies
Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Import IP Watchlist(s) to NSP Sensors

So I can tell you from experience supporting this product that using it as a Firewall Solution is a bad idea. Because this product was not designed as a firewall you will run into limitations very quickly.  If you have a list of malicious IPs to be blocked from accessing your network I would recommend doing it on your Firewall not the NSP.

Depending on what sensors you have the limitations are as follow:

M-8000: 10,000
M-6050: 5,000
M-4050/3050: 3,000

M-2950/2850/2750: 2,000
M-1450/1250: 1,000

NS-9300/9200/9100: 20,000

NS-7300: 5,000

NS-7200/7100: 3,000

NS-5200/5100: 2,000

NS-3200/3100: 1,000


As you can see the limits are not large. Keep in mind that each FW Rule will also impact scanning and other resources.

Re: Import IP Watchlist(s) to NSP Sensors

Maintaining lists of "malicious" IP addresses is a losing battle, especially through anything manual. I'd strongly recommend the use of McAfee GTI wherever possible in the environment instead, and using similar threat intelligence feeds in other products, such as your firewalls. Those lists are dynamically updated (both as known-malicious, and also reverting to known-good) much better than you can hope to do by yourself. For NSP, you're better off using the country geo-location blocking instead when it comes to the firewall policies.

Further, IP addresses as lists of IOCs are more useful for hunting, than as a general defense. There's a reason they are low on the Pyramid of Pain.

Mark Boltz-Robinson, CISSP, CISA
Sr. DFIR Consultant

Foundstone Consulting Services
McAfee LLC

Do you have an emergency?
North America/LATAM – E-mail: Phone: +1 866 212 5589
EMEA – E-mail: Phone : +44 1753 217499
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community