Can I block every country except for the US?
We don't recommend it for most situations. Many websites (maybe yours!) use Content Delivery Networks (CDN), which have servers in other countries. Blocking some countries may prevent you from using important websites or services.
Which countries should I block/allow?
You could start with an "Allow All" Outbound policy, and block only the countries perceived as the highest risk for you. You could also block most of the countries that you don't do business with. We recommend not blocking Outbound traffic (at least initially) to the United States, Canada, the United Kingdom, the European Union, Norway, Sweden, Finland, Denmark, Germany, France, Netherlands, Switzerland, Australia, Japan, and Brazil. Many Content Delivery Networks (CDN) have servers in these countries, and blocking these countries may prevent you from using important websites or services.
What do you recommend for Inbound country policies?
Inbound country policy requirements are different for everyone. Consider where your users and customers are located (the United States and Canada, for instance), and be sure to allow inbound traffic from those countries. You can probably block the countries you don't do business with.
Can I set different policies for different types of traffic (i.e. email vs. web)?
Absolutely! Different types of traffic often have different requirements and risks. You can tailor your policies to the needs of your various traffic types.
Which Threat Categories are most applicable to Inbound traffic?
Command and Control, Botnets, Scanners, Web Exploits, Compromised, Fraudulent Activity, Illegal Activity, Tor/Anonymizers, Brute Force Password, and Advanced Persistent Threat. A slider set at 90 (default) means 90% confidence that the connection is a threat. Any connections with 90% or greater confidence will be blocked.
Which Threat Categories are most applicable to Outbound traffic?
Command and Control, Botnets, Endpoint Exploits, Drop Site, Illegal Activity, Tor/Anonymizers, Brute Force Passwords, and Advanced Persistent Threat. A slider set at 90 (default) means 90% confidence that the connection is a threat. Any connections with 90% or greater confidence will be blocked.
How do I set up an External syslog?
Log into your ThreatBlockr UI, then on the left hand panel go to your Settings > External Syslog. Here you can add the IPV4 or IPV6 server of your choice. The target computer should be configured for syslog and listening on UDP port 514.