Threat Intelligence Feeds for the Firewall – Blocking Attacks Before They Knock

On some days, as an IT administrator, you feel like you are under constant fire: bots and cybercriminals try to find loopholes in the network every minute. A look at the firewall logs shows a flood of suspicious connection attempts from all over the world. Wouldn’t it be reassuring if known attackers weren’t even allowed to knock on your network? This is exactly where Threat Feeds come into play – often also called Threat Intelligence Feeds or Threat Intel Feeds for short. But what is behind it, and why should you use such feeds on the firewall?

Why do you need Threat Feeds on the firewall?

Threat Feeds are basically constantly updated lists of known Indicators of Compromise (IoCs) – for example, malicious IP addresses, domains, or URLs. These feeds are provided by specialized sources: security organizations, industry initiatives, open-source communities, or commercial threat intelligence providers. A modern firewall can import such external feeds and thereby automatically block traffic from known threats even before an attack actually takes place.

New threats appear constantly, and no administrator can manually keep an eye on all dangerous IPs and domains. Here, a Threat Intelligence Feed provides the firewall with virtually additional knowledge: It continuously informs it about which sources are currently known to be dangerous. Thus, the firewall can prevent connections to these targets before malware or attackers cause any damage at all. In newer firewall models (e.g., Sophos from version 21 with Active Threat Response), support for such third-party feeds is already firmly integrated. But many other manufacturers also have similar functions – the principle remains the same.

The advantages of a Threat Feed on the firewall are obvious:

• Proactive protection: Known threats are blocked before they reach your network and can cause damage.
• Flexibility: You can use feeds from various sources and adapt them to your own requirements – from free community feeds to highly specialized premium feeds.
• Automation: The firewall updates and uses the feed automatically; constant manual updating of blocklists is no longer necessary, which significantly relieves admins.

In summary, the firewall with Threat Feed works like an early warning system that intercepts known bad senders already at the network border. This significantly increases infrastructure security and at the same time noticeably reduces unwanted traffic that penetrates into internal systems at all.

Proactive defense: Stop bots and attacks in advance

A practical example of the added value of Threat Feeds is the defense against botnet-based attacks. Many security mechanisms (such as blocking after X failed attempts) detect brute-force attacks relatively reliably if they originate from a single IP address. However, modern attackers distribute their attempts across numerous bots: Each individual infected host tries, for example, only one or two login attempts, and that over a long period of time. No single IP attracts negative attention locally – the attacks remain under the radar and bypass conventional protection mechanisms such as Fail2Ban or login limits.

Here, a broadly positioned Threat Intelligence Feed plays its strength. If the logs of many firewalls are evaluated, it can be seen that certain IP addresses show suspicious activities distributed across several systems. If the same IP appears, for example, in the login logs of dozens of different companies with failed attempts, this is a clear indication of a coordinated attack. Such addresses are then marked in the Threat Feed and centrally blocked. Your own firewall learns from this: As soon as one of these botnet hosts tries it just once with you, it is immediately identified and repelled – thanks to feed knowledge – without it being able to cause any significant damage at all.

Figure: The worldwide firewall network serves as a sensory early warning system. If a managed firewall detects a suspicious IP and reports it to the central cloud database, all connected participants receive this information. The malicious IP is marked in the Threat Intelligence Feed and thereby blocked on all firewalls in the network. This way, everyone benefits from the experiences of others. Cybora then curates this for us into an excellent Threat Feed.

Through this shared Threat Intelligence, distributed, creeping attacks can also be stopped proactively. Every newly detected malicious IP address lands in the feed within a short time – and thus on the blocklist of all participating firewalls. As a result, the number of successful attack attempts is drastically reduced. The firewall has to process less “noise”, and real attacks have a much harder time getting through unseen.

Simple integration into Sophos, Fortinet, Palo Alto & Co.

Fortunately, it is straightforward to integrate a Threat Feed into common firewall platforms. While we at Avanet focus primarily on the Sophos Firewall, the feed can be integrated just as well into solutions from other manufacturers. Whether Fortinet FortiGate, Palo Alto Networks, Check Point, OPNsense, or others – most modern firewalls support external blocklists/Threat Feeds and can subscribe to a list of IPs/domains via URL.

Using Sophos XGS as an example, you can see how easy it is: Via the web interface in the menu “Third-Party Threat Feeds”, you add a new feed, specify a name, the feed URL, and the type (IPv4, Domain, or URL), select Block as action – done. It works similarly with Fortinet or Palo Alto, only the functions are named slightly differently there (such as External Block List with FortiGate or External Dynamic List with Palo Alto).

Generally, only a few steps are necessary to integrate the Cybora Threat Feed:

1. Obtain feed URL: First, you receive the URL for the desired Threat Feed from us (e.g., for the Basic Feed or Premium).
2. Enter in firewall: Open the area for external/custom Threat Feeds or blocklists in the firewall interface and add a new feed/connector there. Name and description can be chosen freely. As a source, you deposit the received feed URL.
3. Set filter rules: Specify which type of indicator is imported (IPv4 addresses, domains, URLs) and what the firewall should do with it – usually block. Then set the polling interval (e.g., every 6 hours) and save the configuration.

After these steps, the firewall automatically connects to the feed and loads the current Indicators of Compromise. From this point on, the Threat Intel supply runs in the background: The list of malicious IPs and domains is regularly updated, and the firewall blocks all addresses contained therein fully automatically. The integration often takes only a few minutes – however, the gain in security is enormous.

Curated Threat Intelligence Feeds from Cybora

Now there are numerous freely available blocklists and Threat Feeds on the Internet. So why use a feed from Cybora? The challenge lies in the quality and timeliness of the data. Cybora has built a curated Threat Intelligence Feed that is specifically optimized for use on firewalls and is continuously refined. Cybora’s approach combines many sources and filters them intelligently to deliver a comprehensive and reliable result. These include:

• Public community and OSINT lists: e.g., known blocklists from the security community that collect current threats.
• Commercial Threat Intelligence: purchased data feeds from specialized security providers that deliver exclusive material (e.g., on new malware domains).
• Honeypots and own sensors: Cybora operates honeypot systems and uses additional telemetry data to identify attackers, IPs, domains and attack patterns.
• Firewall telemetry from customer environments: Firewalls managed by Avanet can provide anonymized attack and anomaly logs, which Cybora includes in the analysis and curation of the feed.

By merging all this information, a constantly updated stream of malicious indicators is created that goes far beyond individual sources. More importantly: Cybora curates and verifies the data to largely exclude false positives. Instead of simply dumping all possible lists together unexamined – which could easily falsely block legitimate services – the focus is on quality over quantity. Every IP or domain in the Cybora Feed has actually made itself noticeable as an attack or malicious infrastructure, often on several independent systems. This allows you to trust the Cybora Feed and activate it on the firewall with a clear conscience, without having to fear blocking legitimate traffic unnecessarily.

The Cybora Threat Intelligence Feed has been in use for quite some time on several firewalls that we manage and has been tested in different customer environments under real conditions. In controlled rollouts, we have continuously refined curation logic, update intervals, and quality checks. The result is a stable, practical feed that works on the firewall without additional effort and is continuously improved with operational feedback. Thus, new installations benefit immediately from the findings from the field.

Four Threat Feed packages for every need

Not every environment needs the same depth of Threat Intelligence. Therefore, we offer the Cybora Threat Feed in four tiers – from the free basic package to the high-end solution. So everyone finds the right protection level:

Basic

• 0 CHF per year
• Update interval: every 24 h
• IPv4 Feeds: ≈ 30,000 IPs

Request feed

Standard

• 179 $ per year
• Update interval: every 6 h
• IPv4 Feeds: ≈ 45,000 IPs
• Support
• 100 % discount for Sophos Firewall subscription customer*

Subscribe

Premium

• 349 $ per year
• Update interval: every 1 h
• IPv4 Feeds: ≈ 120,000 IPs
• Domain / URL Feeds
• Support
• 14 % discount for Sophos Firewall subscription customers*

Subscribe

Ultimate

1999 $ per year

• Update interval: every 15 min

• IPv4 Feeds: > 220,000 IPs

• Domain / URL Feeds

• Support Subscribe

• Basic: Free basic protection with community-based basic lists. Contains about 30,000 known malicious IP addresses and is updated every 24 hours. Ideal for smaller environments that want solid basic protection cost-effectively.

• Standard: Curated standard feed with broader coverage (approx. 45,000 IPs) and updates every 6 hours. Incorporates additional reliable sources to enable more precise detection and reduce the number of false positives. Suitable for companies that want to noticeably increase their security and at the same time reduce unnecessary traffic.

• Premium: Premium feed for high demands, updated hourly. Includes around 120,000 known bad IPs as well as – from Q4/2025 – additionally extensive domain and URL feeds (over 30 curated lists). Contains exclusive data from our honeypots, partner feeds, and real-time analyses. For organizations that do not want to compromise on security.

• Ultimate: The all-round carefree package with maximum coverage. Contains all available data points (currently more than 220,000 IPs) and is updated every 15 minutes – almost in real-time. Offers the highest possible protection and is particularly interesting for critical infrastructures or larger companies that want to arm themselves against any threat. (This package is offered individually and is aimed at very demanding environments.)

All variants of the Cybora Threat Feed are fully compatible with the Sophos Firewall (from v21 with corresponding Xstream Protection license bundle) and the mentioned other systems. You can start small – for example with the free Basic Feed – and switch to higher tiers if necessary if security requirements grow. For existing customers who already use our Sophos Firewall subscription, there are discounts on the paid feed packages, so an integration is doubly worthwhile.

Conclusion – Try it out and be one step ahead of the danger

Attacks become more sophisticated and numerous every day – but you don’t have to face them unprotected. A Threat Intelligence Feed gives the firewall the necessary advantage to block known sources of danger even before they knock on the door. Experience shows: Once such a feed is activated, one is often surprised at how many connection attempts are automatically prevented already in the first few days. All the bot requests, scanners, and dubious login attempts, which previously had to be laboriously repelled by internal systems or by separate rules, now bounce directly off the firewall.

So why not just experience for yourself what difference it makes? With the Cybora Basic Feed, you can test for free and without obligation how much unwanted traffic occurs in your own environment – and how much of it is already nipped in the bud by the Threat Feed. The findings gained create trust: You see in black and white which part of the daily traffic is actually malicious and now no longer strains the security infrastructure at all.

In the end, the following applies: “Your firewall deserves more knowledge.” A Threat Feed is an effective means to provide this knowledge. By using swarm intelligence from thousands of sources, you always stay one step ahead of attackers. Try it out – your firewall (and your peace of mind) will thank you.

FAQ