Threat Intelligence Feeds for the Firewall – Block attacks before they knock

Some days, IT administrators feel like they are under constant fire: bots and cyber criminals are trying to find loopholes in the network every minute. A glance at the firewall logs reveals a flood of suspicious connection attempts from all over the world. Wouldn’t it be reassuring if you didn’t even let known attackers come knocking on your own network? This is exactly where threat feeds come into play – often called threat intelligence feeds or threat intel feeds for short. But what is behind them and why should you use such feeds on your firewall?

Why do you need threat feeds on the firewall?

Threat feeds are basically constantly updated lists of known Indicators of Compromise (IoCs) – for example, malicious IP addresses, domains or URLs. These feeds are provided by specialized sources: Security organizations, industry initiatives, open source communities or commercial threat intelligence providers. A modern firewall can import such external feeds and automatically block traffic from known threats before an attack actually takes place.

New threats are constantly emerging and no administrator can manually keep track of all dangerous IPs and domains. This is where a threat intelligence feed provides the firewall with additional knowledge: It continuously informs it which sources are currently known to be dangerous. This enables the firewall to prevent connections to these targets before malware or attackers cause any damage. In newer firewall models (e.g. Sophos from version 21 with Active Threat Response), support for such third-party feeds is already firmly integrated. But many other manufacturers also have similar functions – the principle remains the same.

The advantages of a threat feed on the firewall are obvious:

• Proactive protection: Known threats are blocked before they can reach your network and cause damage.
• Flexibility: You can use feeds from various sources and adapt them to your own requirements – from free community feeds to highly specialized premium feeds.
• Automation: The firewall updates and uses the feed automatically; constant manual updating of blacklists is no longer necessary, which considerably reduces the workload for admins.

In summary, the firewall with Threat Feed works like an early warning system that intercepts known malicious senders at the network border. This significantly increases the security of the infrastructure and at the same time noticeably reduces the amount of unwanted traffic that reaches internal systems.

Proactive defense: stop bots and attacks in advance

A practical example of the added value of threat feeds is the defense against botnet-based attacks. Many security mechanisms (such as blocking after X failed attempts) detect brute force attacks relatively reliably if they originate from a single IP address. However, modern attackers spread their attempts across numerous bots: each individual infected host only tries one or two login attempts, for example, and this is spread over a long period of time. No single IP attracts negative attention locally – the attacks remain under the radar and bypass conventional protection mechanisms such as Fail2Ban or login limits.

This is where a broad-based threat intelligence feed comes into its own. If the logs of many firewalls are analyzed, it can be seen that certain IP addresses show conspicuous activity across several systems. For example, if the same IP appears in the login logs of dozens of different companies with failed attempts, this is a clear indication of a coordinated attack. Such addresses are then flagged in the threat feed and blocked centrally. Your own firewall learns from this: as soon as one of these botnet hosts tries to access you even once, it is immediately identified and blocked – thanks to feed knowledge – without being able to cause any significant damage.

Illustration: Avanet’s global firewall network serves as a sensory early warning system. If a managed firewall detects a suspicious IP and reports it to the central cloud database, all connected participants receive this information. The malicious IP is flagged in the threat intelligence feed and thus blocked on all firewalls in the network. In this way, everyone benefits from the experience of others.

This shared threat intelligence can also be used to proactively stop distributed, insidious attacks. Every newly detected malicious IP address ends up in the feed within a short time – and thus on the block list of all participating firewalls. As a result, the number of attack attempts that get through is drastically reduced. The firewall has to process less “noise” and genuine attacks have a much harder time getting through unseen.

Simple integration with Sophos, Fortinet, Palo Alto & Co.

Fortunately, it’s easy to integrate a threat feed into popular firewall platforms. At Avanet, we focus mainly on the Sophos Firewall, but our feed integrates just as well with solutions from other vendors. Whether Fortinet FortiGate, Palo Alto Networks, Check Point, OPNsense or others – most modern firewalls support external blocklists/threat feeds and can subscribe to a list of IPs/domains via URL.

The example of Sophos XGS shows how easy it is: add a new feed via the web interface in the “Third-Party Threat Feeds” menu, enter a name, the feed URL and the type (IPv4, domain or URL), select Block as the action – done. Fortinet or Palo Alto also work in a similar way, only the functions there are called slightly differently (such as External Block List with FortiGate or External Dynamic List with Palo Alto).

In general, only a few steps are necessary to integrate our feed:

1. Obtain feed URL: First you receive the URL to the desired threat feed from us (e.g. for the Basic Feed or Premium).
2. Add to firewall: In the firewall interface, open the area for external/user-defined threat feeds or blocklists and add a new feed/connector there. The name and description can be freely selected. Enter the received feed URL as the source.
3. Set filter rules: Specify which type of indicator is imported (IPv4 addresses, domains, URLs) and what the firewall should do with it – usually block. Then set the polling interval (e.g. every 6 hours) and save the configuration.

After these steps, the firewall automatically connects to the feed and loads the current Indicators of Compromise. From this point on, the Threat Intel supply runs in the background: the list of malicious IPs and domains is regularly updated and the firewall blocks all the addresses it contains fully automatically. Integration therefore often only takes a few minutes – but the increase in security is enormous.

Curated threat intelligence feeds from Avanet

Now there are numerous freely available blacklists and threat feeds on the Internet. So why use a feed from Avanet? The challenge lies in the quality and timeliness of the data. We have developed our own threat intelligence feed, which is specially optimized for firewalls and is constantly being refined. Our approach combines many sources and filters them intelligently to deliver a comprehensive and reliable result. Among other things, we use:

• Public community and OSINT lists: e.g. known blocklists from the security community that collect current threats.
• Commercial threat intelligence: purchased data feeds from specialized security providers that deliver exclusive material (e.g. on new malware domains).
• Our own honeypots: We operate honeypot systems that attract attackers on the Internet and record their IPs, domains and attack patterns.
• Our customers’ firewall network: Many of the firewalls we support send anonymized attack and anomaly logs to our central database (with consent, of course). This real field data shows at an early stage which IPs are currently actively attacking in the wild.

Combining all this information creates a constantly updated data stream of malicious indicators that goes far beyond individual sources. More importantly, we curate and review the data to largely eliminate false positives. Rather than simply throwing all possible lists together at random – which could easily block legitimate services – we focus on quality over quantity. Every IP or domain in the Avanet feed has actually shown up as an attack or malicious infrastructure, often on multiple independent systems. As a result, our feeds can be trusted and enabled in the firewall with a clear conscience, without fear of unnecessarily blocking legitimate traffic.

Our Threat Intelligence Feed has been in productive use since the end of 2024 and has been tested in various customer environments under real conditions. We have continuously refined the curation logic, update intervals and quality checks in controlled rollouts. The result is a stable, practical feed that works on the firewall without additional effort and is continuously improved with operational feedback. This means that new installations benefit immediately from the findings from the field.

Four threat feed packages for every need

Not every environment needs the same depth of threat intelligence. That’s why we offer our feed in four expansion levels – from the free basic package to the high-end solution. So everyone can find the right level of protection:

• Basic: Free basic protection with community-based basic lists. Contains around 30,000 known malicious IP addresses and is updated every 24 hours. Ideal for smaller environments that want solid basic protection at a reasonable price.
• Standard: Curated standard feed with broader coverage (approx. 45,000 IPs) and updates every 6 hours. Includes additional reliable sources to enable more precise detection and reduce the number of false positives. Suitable for companies that want to significantly increase their security while reducing unnecessary traffic.
• Premium: Premium feed for high demands, updated hourly. Includes around 120,000 known bad IPs and – from Q4/2025 – additional extensive domain and URL feeds (over 30 curated lists). Contains exclusive data from our honeypots, partner feeds and real-time analysis. For organizations that don’t want to compromise on security.
• Ultimate: The all-round carefree package with maximum coverage. Contains all available data points (currently ~190,000 IPs) and is updated every 15 minutes – almost in real time. Offers the highest possible protection and is particularly interesting for critical infrastructures or larger companies that want to arm themselves against any threat. (This package is offered individually and is aimed at very demanding environments).

All variants of our Threat Feed are fully compatible with the Sophos Firewall (from v21 with the corresponding Xstream Protection license bundle) and the other systems mentioned. You can start small – for example with the free Basic Feed – and switch to higher levels as your security requirements grow. For existing customers who are already using our Sophos Firewall subscription, there are discounts on the paid feed packages, so integration is doubly worthwhile.

Conclusion – Try it out and stay one step ahead of the danger

Attacks are becoming more sophisticated and more numerous every day – but you don’t have to be defenceless against them. A threat intelligence feed gives the firewall the necessary head start to block known sources of danger even before they knock on the door. Experience shows: Once you have activated such a feed, you are often surprised at how many connection attempts are automatically blocked within the first few days. All the bot requests, scanners and dubious login attempts that previously had to be laboriously blocked by internal systems or separate rules now bounce right off the firewall.

So why not experience the difference it makes for yourself? With our Avanet Basic Feed, you can test free of charge and without obligation how much unwanted traffic is generated in your own environment – and how much of it is nipped in the bud by the Threat Feed. The knowledge gained creates trust: You can see in black and white which part of the daily traffic is actually malicious and now no longer strains the security infrastructure at all.

In the end: “Your firewall deserves more knowledge.” A threat feed is an effective way of providing this knowledge. By using swarm intelligence from thousands of sources, you stay one step ahead of attackers. Give it a try – your firewall (and your restful sleep) will thank you.

FAQ