Threat Intelligence Feeds for the Firewall – Blocking Attacks Before They Knock

Some days, being an IT administrator feels like being under constant fire: bots and cybercriminals try to find gaps in the network minute by minute. A look at the firewall logs shows a flood of suspicious connection attempts from all over the world. Wouldn’t it be reassuring if known attackers never even reached your network perimeter? This is exactly where Threat Feeds come in - often also called Threat Intelligence Feeds or Threat Intel Feeds for short. But what are they, and why should you use them on the firewall?

Why do you need Threat Feeds on the firewall?

Threat Feeds are, in essence, continuously updated lists of known Indicators of Compromise (IoCs), such as malicious IP addresses, domains, or URLs. These feeds are provided by specialized sources: security organizations, industry initiatives, open-source communities, or commercial threat intelligence providers. A modern firewall can import these external feeds and automatically block traffic from known threats before an attack actually takes place.

New threats appear constantly, and no administrator can manually keep track of every dangerous IP address and domain. A Threat Intelligence Feed gives the firewall additional knowledge: it continuously tells the firewall which sources are currently known to be dangerous. The firewall can then block connections to those targets before malware or attackers can cause damage. In newer firewall models, for example Sophos from version 21 with Active Threat Response, support for such third-party feeds is already built in. Many other vendors offer similar features; the principle remains the same.

The advantages of a Threat Feed on the firewall are obvious:

• Proactive protection: Known threats are blocked before they reach your network and can cause damage.
• Flexibility: You can use feeds from various sources and adapt them to your own requirements – from free community feeds to highly specialized premium feeds.
• Automation: The firewall updates and uses the feed automatically. Constant manual maintenance of blocklists is no longer necessary, which significantly reduces administrative effort.

In short, a firewall with a Threat Feed works like an early warning system that intercepts known bad sources at the network edge. This significantly improves infrastructure security and noticeably reduces the unwanted traffic that reaches internal systems in the first place.

Proactive defense: Stop bots and attacks in advance

A practical example of the value of Threat Feeds is defense against botnet-based attacks. Many security mechanisms, such as blocking after a certain number of failed attempts, detect brute-force attacks relatively reliably when they originate from a single IP address. Modern attackers, however, distribute their attempts across many bots. Each infected host may try only one or two logins, spread out over a long period. No single IP address stands out locally, so the attacks stay under the radar and bypass conventional protection mechanisms such as Fail2Ban or login limits.

This is where a broadly sourced Threat Intelligence Feed shows its strength. When logs from many firewalls are evaluated, it becomes visible that certain IP addresses show suspicious activity across multiple systems. If the same IP address appears with failed login attempts in the logs of dozens of different companies, that is a clear indicator of a coordinated attack. Those addresses are then marked in the Threat Feed and blocked centrally. Your own firewall benefits from this knowledge: as soon as one of these botnet hosts tries to connect even once, it is immediately identified and blocked before it can cause meaningful damage.

Figure: The worldwide firewall network acts as a sensor-based early warning system. When a managed firewall detects a suspicious IP address and reports it to the central cloud database, all connected participants receive this information. The malicious IP is marked in the Threat Intelligence Feed and blocked on all firewalls in the network. This way, everyone benefits from the experience of others. Cybora then curates this into an excellent Threat Feed for us.

Through this shared Threat Intelligence, distributed and slow-moving attacks can also be stopped proactively. Every newly detected malicious IP address is added to the feed within a short time and therefore to the blocklist of all participating firewalls. As a result, the number of attack attempts that get through is drastically reduced. The firewall has to process less “noise”, and real attacks have a much harder time slipping through unnoticed.

Simple integration into Sophos, Fortinet, Palo Alto & Co.

Fortunately, integrating a Threat Feed into common firewall platforms is straightforward. At Avanet, we focus primarily on the Sophos Firewall, but the feed can also be integrated into solutions from other vendors. Whether Fortinet FortiGate, Palo Alto Networks, Check Point, OPNsense, or others, most modern firewalls support external blocklists/Threat Feeds and can subscribe to a list of IPs or domains via URL.

Sophos XGS shows how simple the process is: in the web interface under “Third-Party Threat Feeds”, add a new feed, enter a name, the feed URL, and the type (IPv4, Domain, or URL), select Block as the action, and save. Fortinet and Palo Alto work in a similar way; the features simply have different names, such as External Block List on FortiGate or External Dynamic List on Palo Alto.

Generally, only a few steps are necessary to integrate the Cybora Threat Feed:

1. Obtain feed URL: First, you receive the URL for the desired Threat Feed from us (e.g., for the Basic Feed or Premium).
2. Enter in firewall: Open the area for external/custom Threat Feeds or blocklists in the firewall interface and add a new feed or connector there. Name and description can be chosen freely. Use the received feed URL as the source.
3. Set filter rules: Specify which type of indicator is imported (IPv4 addresses, domains, URLs) and what the firewall should do with it – usually block. Then set the polling interval (e.g., every 6 hours) and save the configuration.

After these steps, the firewall automatically connects to the feed and loads the current Indicators of Compromise. From this point on, Threat Intel enrichment runs in the background: the list of malicious IPs and domains is regularly updated, and the firewall blocks all addresses contained in it automatically. The integration often takes only a few minutes, but the security gain is substantial.

Curated Threat Intelligence Feeds from Cybora

There are numerous freely available blocklists and Threat Feeds on the internet. So why use a feed from Cybora? The challenge lies in the quality and timeliness of the data. Cybora has built a curated Threat Intelligence Feed that is specifically optimized for firewall use and continuously refined. Cybora’s approach combines many sources and filters them intelligently to deliver a comprehensive and reliable result. We use, among other things:

• Public community and OSINT lists: e.g., known blocklists from the security community that collect current threats.
• Commercial Threat Intelligence: purchased data feeds from specialized security providers that deliver exclusive material (e.g., on new malware domains).
• Honeypots and our own sensors: Cybora operates honeypot systems and uses additional telemetry data to identify attackers, IPs, domains, and attack patterns.
• Firewall telemetry from customer environments: Firewalls managed by Avanet can provide anonymized attack and anomaly logs, which Cybora includes in the analysis and curation of the feed.

By combining all this information, we create a continuously updated stream of malicious indicators that goes far beyond any single source. More importantly, Cybora curates and verifies the data to largely avoid false positives. Instead of blindly merging every available list, which could easily block legitimate services by mistake, we prioritize quality over quantity. Every IP address or domain in the Cybora Feed has actually stood out as attack or malicious infrastructure, often across several independent systems. This means you can trust the Cybora Feed and enable it on the firewall with confidence, without unnecessary concern about blocking legitimate traffic.

The Cybora Threat Intelligence Feed has been in use for some time on several firewalls managed by us and has been tested in different customer environments under real-world conditions. In controlled rollouts, we have continuously refined curation logic, update intervals, and quality checks. The result is a stable, practical feed that works on the firewall without additional effort and is continuously improved with operational feedback. New installations therefore benefit immediately from findings gathered in the field.

Four Threat Feed packages for every need

Not every environment needs the same depth of Threat Intelligence. That is why we offer the Cybora Threat Feed in four tiers, from the free basic package to the high-end solution. This makes it possible to choose the right level of protection for each environment:

Basic

• 0 CHF per year
• Update interval: every 24 h
• IPv4 Feeds: ≈ 30,000 IPs

Request feed

Standard

• 179 $ per year
• Update interval: every 6 h
• IPv4 Feeds: ≈ 45,000 IPs
• Support
• 100 % discount for Sophos Firewall subscription customers*

Subscribe

Premium

• 349 $ per year
• Update interval: every 1 h
• IPv4 Feeds: ≈ 120,000 IPs
• Domain / URL Feeds
• Support
• 14 % discount for Sophos Firewall subscription customers*

Subscribe

Ultimate

1999 $ per year

• Update interval: every 15 min

• IPv4 Feeds: > 220,000 IPs

• Domain / URL Feeds

• Support Subscribe

• Basic: Free baseline protection with community-based basic lists. Contains about 30,000 known malicious IP addresses and is updated every 24 hours. Ideal for smaller environments that want solid baseline protection at low cost.

• Standard: Curated standard feed with broader coverage (approx. 45,000 IPs) and updates every 6 hours. Includes additional reliable sources to enable more precise detection and reduce false positives. Suitable for companies that want to noticeably improve security while reducing unnecessary traffic.

• Premium: Premium feed for demanding environments, updated hourly. Includes around 120,000 known bad IPs and, from Q4/2025, extensive domain and URL feeds as well (over 30 curated lists). Contains exclusive data from our honeypots, partner feeds, and real-time analyses. For organizations that do not want to compromise on security.

• Ultimate: The worry-free package with maximum coverage. Contains all available data points (currently more than 220,000 IPs) and is updated every 15 minutes, almost in real time. It offers the highest possible level of protection and is especially relevant for critical infrastructure or larger companies that want to prepare for any threat. This package is offered individually and is aimed at very demanding environments.

All variants of the Cybora Threat Feed are fully compatible with the Sophos Firewall (from v21 with the corresponding Xstream Protection license bundle) and the other systems mentioned above. You can start small, for example with the free Basic Feed, and switch to higher tiers later if security requirements grow. Existing customers who already use our Sophos Firewall subscription receive discounts on the paid feed packages, making integration worthwhile twice over.

Conclusion – Try it out and be one step ahead of the danger

Attacks are becoming more sophisticated and more frequent every day, but you do not have to face them unprotected. A Threat Intelligence Feed gives the firewall the head start it needs to block known threat sources before they knock on the door. Experience shows that once such a feed is enabled, many teams are surprised by how many connection attempts are automatically blocked in the first few days alone. Bot requests, scanners, and dubious login attempts that previously had to be handled by internal systems or separate rules now bounce directly off the firewall.

So why not see the difference for yourself? With the Cybora Basic Feed, you can test free of charge and without obligation how much unwanted traffic appears in your own environment, and how much of it is stopped at the source by the Threat Feed. The findings build confidence: you can see in black and white which part of daily traffic is actually malicious and no longer burdens the security infrastructure at all.

In the end, the message is simple: “Your firewall deserves more knowledge.” A Threat Feed is an effective way to provide that knowledge. By using swarm intelligence from thousands of sources, you stay one step ahead of attackers. Try it out - your firewall, and your peace of mind, will thank you.

FAQ