🔥 ThreatListPro Integration Guide

Universal Firewall Setup Instructions - 14 Platforms Supported

← Back to Home

📋 Your Blocklist URL:

https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt

Replace YOUR_API_KEY with the API key from your instant-access page.

Updated: Regularly

🎯 Choose Your Firewall:

Palo Alto Networks Fortinet FortiGate pfSense (pfBlockerNG) Cisco ASA SonicWall OPNsense WatchGuard Sophos XG/XGS MikroTik Ubiquiti EdgeRouter Juniper SRX Linux (iptables) Windows Firewall Generic/Universal

⚠  Handling False Positives - Universal Guide

📌 Important: While ThreatListPro's blocklist is carefully curated, false positives can occasionally occur. This guide shows you how to quickly whitelist legitimate IPs on your firewall without waiting for the master list to be updated.

Why Whitelist Instead of Removing the Block Rule?

Creating a whitelist exception is better because:

Best Practices for Whitelisting

  1. Verify It's Legitimate: Confirm the IP belongs to a trusted source before whitelisting
  2. Document Everything: Add description/comment: "Whitelisted on 2025-01-15 - Company XYZ VPN endpoint"
  3. Use Specific Rules: Whitelist only for necessary services/ports when possible
  4. Review Regularly: Quarterly review of all whitelisted IPs
  5. Report to Us: Email support@threatlistpro.com so we can investigate and update the master list

When to Whitelist vs. Contact Support

✅ Whitelist Immediately If:

  • Business operations are impacted
  • Legitimate partner/vendor is blocked
  • Your own public IPs are blocked
  • Trusted cloud service (AWS, Azure, etc.) is affected

📧 Contact Support First If:

  • You're unsure if the IP is legitimate
  • Multiple IPs from same range are blocked
  • You want to understand why it was flagged
  • You need help with whitelist configuration

Reporting False Positives

After whitelisting, please report the false positive to help us improve:

Email: support@threatlistpro.com
Subject: False Positive Report - [IP Address]

Include:
- IP Address: (e.g., 192.0.2.1)
- Why it's legitimate: (e.g., "Microsoft Azure datacenter")
- Date discovered: (e.g., 2025-01-15)
- Impact: (e.g., "Blocked access to our Office 365 services")

We'll investigate and update the master list within 24-48 hours.

🛡️ Palo Alto Networks (PAN-OS)

Perfect for: GlobalProtect portal protection, firewall login, and authentication services

Step 1: Create External Dynamic List

  1. Log into your Palo Alto firewall web interface
  2. Navigate to Objects ←’ External Dynamic Lists
  3. Click Add
  4. Configure:
    • Name: ThreatListPro-IPs
    • Type: IP List
    • Source: https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
    • Repeat: Every Hour (or your preferred interval)
    • Description: ThreatListPro malicious IP blocklist
  5. Click OK

Step 2: Create Security Policy Rule

  1. Go to Policies ←’ Security
  2. Add new rule at the TOP of your policy list
  3. Configure:
    • Name: Block-ThreatListPro
    • Source Zone: Any (or specific external zone)
    • Source Address: ThreatListPro-IPs
    • Destination Zone: Any
    • Destination Address: Any
    • Application: Any
    • Service: Any
    • Action: Deny
    • Profile Type: None
    • Options: ✓ Log at Session End
  4. Click OK

Step 3: Commit Changes

  1. Click Commit at the top right
  2. Wait for commit to complete

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Address Object (Recommended)

  1. Go to Objects ←’ Addresses
  2. Click Add
  3. Configure:
    • Name: Whitelist-CompanyName-IP
    • Type: IP Netmask
    • IP Netmask: 192.0.2.1/32 (the IP to whitelist)
    • Description: "Whitelisted 2025-01-15 - Company XYZ VPN endpoint - False positive"
  4. Click OK

Method 2: Create Whitelist Security Rule (Above Block Rule)

  1. Go to Policies ←’ Security
  2. Add new rule ABOVE the Block-ThreatListPro rule
  3. Configure:
    • Name: Whitelist-Exceptions
    • Source Zone: Same as block rule
    • Source Address: Whitelist-CompanyName-IP
    • Destination Zone: Any
    • Destination Address: Any
    • Application: Any
    • Service: Any
    • Action: Allow
    • Options: ✓ Log at Session End
  4. Click OK
  5. Commit changes

Quick CLI Method (For Advanced Users)

configure
set address Whitelist-CompanyXYZ ip-netmask 192.0.2.1/32 description "Whitelisted - CompanyXYZ"
set rulebase security rules Whitelist-Exceptions source Whitelist-CompanyXYZ action allow
move rulebase security rules Whitelist-Exceptions before Block-ThreatListPro
commit

Verification

# Check address object
show object address | match Whitelist

# Test traffic from whitelisted IP (should be allowed)
test security-policy-match source 192.0.2.1 destination 10.0.0.1 protocol 6 destination-port 443
⚠  Rule Order Matters: The whitelist rule must be above (before) the ThreatListPro block rule in the security policy list. PAN-OS evaluates rules top-to-bottom and stops at the first match.

Verification

SSH to your firewall and run:

show system external-list

# Force immediate update:
request system external-list refresh name ThreatListPro-IPs
✓ Done! Your Palo Alto firewall is now blocking 15,000+ malicious IPs automatically.

🔥 Fortinet FortiGate

Perfect for: SSL-VPN, Admin Portal, and firewall management access protection

Quick CLI Setup (Recommended)

SSH to your FortiGate and run these commands:

Step 1: Create Threat Feed

config system external-resource
    edit "ThreatListPro"
        set type address
        set resource "https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt"
        set refresh-rate 60
        set status enable
    next
end

Step 2: Create Address Object

config firewall address
    edit "ThreatListPro-Blocklist"
        set type external
        set external "ThreatListPro"
    next
end

Step 3: Create Firewall Policy

config firewall policy
    edit 0
        set name "Block-ThreatListPro"
        set srcintf "wan1"
        set dstintf "any"
        set srcaddr "ThreatListPro-Blocklist"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: CLI Whitelist (Recommended - Fast)

Create a whitelist address and policy that executes before the block rule:

config firewall address
    edit "Whitelist-CompanyXYZ"
        set subnet 192.0.2.1 255.255.255.255
        set comment "Whitelisted 2025-01-15 - CompanyXYZ VPN endpoint"
    next
end

config firewall policy
    edit 0
        set name "Whitelist-Exceptions"
        set srcintf "wan1"
        set dstintf "any"
        set srcaddr "Whitelist-CompanyXYZ"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "Allow whitelisted IPs - overrides ThreatListPro block"
    next
end

# IMPORTANT: Move whitelist policy BEFORE block policy
config firewall policy
    move 1 before 2
end

Method 2: GUI Whitelist

  1. Go to Policy & Objects ←’ Addresses
  2. Click Create New ←’ Address
  3. Configure:
    • Name: Whitelist-CompanyXYZ
    • Type: IP/Netmask
    • Subnet: 192.0.2.1/32
    • Interface: Any
    • Comments: "Whitelisted 2025-01-15 - CompanyXYZ"
  4. Click OK
  5. Go to Policy & Objects ←’ Firewall Policy
  6. Create new policy above Block-ThreatListPro:
    • Name: Whitelist-Exceptions
    • Incoming Interface: wan1 (or your external interface)
    • Outgoing Interface: any
    • Source: Whitelist-CompanyXYZ
    • Destination: all
    • Schedule: always
    • Service: ALL
    • Action: ACCEPT
    • Enable Logging: All Sessions
  7. Drag the whitelist policy above the block policy

Verification

# Check policy order (whitelist should be policy ID 1 or before block rule)
show firewall policy

# Check address object
show firewall address Whitelist-CompanyXYZ

# View logs for whitelisted traffic
execute log filter field srcip 192.0.2.1
execute log display
⚠  Policy Order Critical: FortiGate processes policies top-to-bottom. The whitelist policy must be above (lower policy ID number) than the ThreatListPro block policy.

GUI Method (Alternative)

Step 1: Create External Resource

  1. Go to Security Fabric ←’ External Connectors
  2. Click Create New ←’ IP Address
  3. Configure:
    • Name: ThreatListPro_Feed
    • URI: https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
    • Refresh Rate: 60 minutes
    • Status: Enabled

Verification

# Check external resource status
diagnose test application dnsproxy 7

# Force update
execute update-now external-resource ThreatListPro
✓ Done! FortiGate is now protecting your network with ThreatListPro.

🛡️ pfSense with pfBlockerNG

Most popular open-source option

Step 1: Install pfBlockerNG (if not installed)

  1. Go to System ←’ Package Manager ←’ Available Packages
  2. Search for pfBlockerNG-devel
  3. Click Install
  4. Wait for installation to complete

Step 2: Add ThreatListPro Feed

  1. Go to Firewall ←’ pfBlockerNG ←’ IP
  2. Click Add under IP Lists
  3. Configure:
    • List Action: Deny Both (blocks inbound and outbound)
    • List Name: ThreatListPro
    • Enable List: ✓ Checked
    • IPv4 List: Click "Add"
    • Header/Label: ThreatListPro
    • Format: Auto
    • URL: https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
    • Update Frequency: 1 Day (or your preference)

Step 3: Save and Update

  1. Click Save
  2. Go to Firewall ←’ pfBlockerNG ←’ Update
  3. Click Reload or Force Update to apply immediately

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: pfBlockerNG Whitelist (Recommended)

pfBlockerNG has a built-in whitelist feature that overrides all blocklists:

  1. Go to Firewall ←’ pfBlockerNG ←’ IP ←’ IPv4
  2. Scroll to IPv4 Whitelist section
  3. Click Add
  4. Configure:
    • Whitelist Name: ThreatListPro_Exceptions
    • Description: "IPs to exclude from ThreatListPro blocklist"
    • IPv4 Whitelist: Enter IP addresses (one per line): 
      192.0.2.1/32 # CompanyXYZ VPN - whitelisted 2025-01-15
198.51.100.42/32 # Partner AWS instance - whitelisted 2025-01-15
  5. Click Save
  6. Go to Firewall ←’ pfBlockerNG ←’ Update
  7. Click Reload to apply whitelist immediately

Method 2: Firewall Alias Whitelist (Alternative)

  1. Go to Firewall ←’ Aliases
  2. Click Add
  3. Configure:
    • Name: Whitelist_ThreatListPro
    • Type: Host(s)
    • Host(s): Add each IP:
      • IP: 192.0.2.1 | Description: "CompanyXYZ VPN"
      • Click + to add more
  4. Click Save ←’ Apply Changes
  5. Go to Firewall ←’ Rules ←’ WAN (or your external interface)
  6. Click Add (top arrow to add at top of list)
  7. Configure:
    • Action: Pass
    • Interface: WAN
    • Source: Single host or alias ←’ Whitelist_ThreatListPro
    • Destination: Any
    • Description: "Allow whitelisted IPs - overrides pfBlockerNG"
  8. Click Save ←’ Apply Changes

Verification

Check whitelist is working:

  1. Go to Firewall ←’ pfBlockerNG ←’ Reports
  2. Click Alerts tab
  3. Search for the whitelisted IP - it should NOT appear in blocks
  4. Check Firewall ←’ Rules - whitelist rule should be at the top
💡 Tip: pfBlockerNG's whitelist is the cleanest method as it's centrally managed and automatically applies to all blocklists, not just ThreatListPro.

Verification

Check Firewall ←’ pfBlockerNG ←’ Reports to see blocked IPs and statistics.

✓ Done! pfSense is now using ThreatListPro to block attacks.

🔧 Cisco ASA

Perfect for: AnyConnect VPN and firewall management protection

Method 1: Using Dynamic Object Groups (ASA 9.0+)

Step 1: Configure External List

SSH to your Cisco ASA and configure:

configure terminal

! Create object-group for dynamic list
object-group network ThreatListPro-IPs
 description ThreatListPro Malicious IP Blocklist

! Import list from URL (requires ASA 9.10+)
import webtype txt https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
 poll-period 3600

exit

Step 2: Create Access List

! Create ACL to block the IPs
access-list OUTSIDE-IN extended deny ip object-group ThreatListPro-IPs any log
access-list OUTSIDE-IN extended permit ip any any

! Apply to outside interface
access-group OUTSIDE-IN in interface outside

write memory

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Whitelist Object Group (Recommended)

configure terminal

! Create whitelist object group
object-group network Whitelist-ThreatListPro-Exceptions
 description Whitelisted IPs that override ThreatListPro blocks
 network-object host 192.0.2.1
 network-object host 198.51.100.42
 ! Add more IPs as needed

! Add whitelist rule BEFORE deny rule in ACL
access-list OUTSIDE-IN line 1 extended permit ip object-group Whitelist-ThreatListPro-Exceptions any log

write memory
Note: The line 1 parameter ensures the permit rule is evaluated before the deny rule.

Method 2: Individual Host Objects

configure terminal

! Create host objects for each whitelisted IP
object network Whitelist-CompanyXYZ-VPN
 host 192.0.2.1
 description Whitelisted 2025-01-15 - CompanyXYZ VPN endpoint

object network Whitelist-Partner-AWS
 host 198.51.100.42
 description Whitelisted 2025-01-15 - Partner AWS instance

! Add to ACL before deny rule
access-list OUTSIDE-IN line 1 extended permit ip object Whitelist-CompanyXYZ-VPN any log
access-list OUTSIDE-IN line 2 extended permit ip object Whitelist-Partner-AWS any log

write memory

Verification

! Show ACL to verify whitelist rules are first
show access-list OUTSIDE-IN

! Expected output:
! access-list OUTSIDE-IN line 1 extended permit ip host 192.0.2.1 any (hitcnt=X)
! access-list OUTSIDE-IN line 2 extended deny ip object-group ThreatListPro-IPs any (hitcnt=Y)

! Test connection from whitelisted IP (should be permitted)
packet-tracer input outside tcp 192.0.2.1 12345 10.0.0.1 443
⚠  ACL Order Critical: Cisco ASA processes ACLs top-to-bottom. Use line 1 to ensure whitelist rules evaluate before the ThreatListPro deny rule.

Method 2: Manual Script Import (All ASA Versions)

Note: If your ASA doesn't support dynamic imports, use this Python script to generate ASA commands:

Step 1: Download and Generate Commands

# On your management workstation
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o blocklist.txt

# Generate ASA commands
cat blocklist.txt | awk '{print "access-list OUTSIDE-IN extended deny ip host " $1 " any log"}' > asa-commands.txt

Step 2: Apply to ASA

# Copy commands to ASA
configure terminal
! Paste the contents of asa-commands.txt here
access-group OUTSIDE-IN in interface outside
write memory

Verification

show access-list OUTSIDE-IN | include deny
show conn | include deny
✓ Done! Cisco ASA is now blocking ThreatListPro IPs.

🔒 SonicWall

Perfect for: VPN portal and management interface protection

Step 1: Create Address Object from URL

  1. Log into SonicWall management interface
  2. Navigate to Network ←’ Address Objects
  3. Click Add ←’ Address Object
  4. Configure:
    • Name: ThreatListPro-Blocklist
    • Zone Assignment: WAN
    • Type: Fqdn
    • FQDN: Use dynamic import (see note below)
⚠  SonicWall Limitation: SonicWall doesn't natively support dynamic IP lists from URLs. Use one of these workarounds:

Workaround Option 1: Manual Import (Recommended)

Step 1: Download IP List

# On your workstation
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o blocklist.csv

Step 2: Import to SonicWall

  1. Go to Network ←’ Address Objects
  2. Click Import
  3. Select blocklist.csv
  4. Create address group: ThreatListPro-Group

Step 3: Create Access Rule

  1. Go to Firewall ←’ Access Rules
  2. Click Add
  3. Configure:
    • Action: Deny
    • Source: ThreatListPro-Group
    • Destination: Any
    • Service: Any
    • Enable Logging:
  4. Move rule to top of list

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Address Group

  1. Go to Network ←’ Address Objects
  2. Click Add ←’ Address Object
  3. Create individual address objects:
    • Name: Whitelist-CompanyXYZ
    • Zone: WAN
    • Type: Host
    • IP Address: 192.0.2.1
    • Comment: "Whitelisted 2025-01-15 - CompanyXYZ VPN"
  4. Repeat for each IP to whitelist
  5. Create Address Group:
    • Name: Whitelist-Exceptions
    • Add Members: All whitelisted address objects

Method 2: Create Whitelist Access Rule (Above Block Rule)

  1. Go to Firewall ←’ Access Rules
  2. Click Add at the top of the list
  3. Configure:
    • Action: Allow
    • Source: Whitelist-Exceptions
    • Destination: Any
    • Service: Any
    • Enable Logging:
    • Comment: "Whitelist - Overrides ThreatListPro blocks"
  4. Important: Drag this rule above the ThreatListPro deny rule
  5. Click Save or Accept

Method 3: Remove from ThreatListPro-Group (Not Recommended)

You can manually edit the ThreatListPro-Group and remove specific IPs:

  1. Go to Network ←’ Address Objects
  2. Edit ThreatListPro-Group
  3. Remove the false positive IP from the group
  4. Downside: You'll need to re-remove it after each weekly update

Verification

  1. Go to Log ←’ View
  2. Filter by source IP (whitelisted IP)
  3. Verify traffic shows "Allowed" instead of "Denied"
  4. Check rule order in Firewall ←’ Access Rules
💡 Best Practice: Use Method 2 (whitelist access rule) so you can easily manage exceptions in one place and document why each IP was whitelisted.

Workaround Option 2: Automated Script

Schedule a weekly script to download and re-import the list automatically using SonicWall API.

✓ Done! SonicWall is now blocking ThreatListPro IPs. Re-import weekly for updates.

🔒 OPNsense

Open-source alternative to pfSense

Step 1: Install Blocklist Plugin

  1. Go to System ←’ Firmware ←’ Plugins
  2. Search for os-firewall
  3. Click Install

Step 2: Configure IP Blocklist

  1. Navigate to Firewall ←’ Aliases
  2. Click + to add new alias
  3. Configure:
    • Enabled: ✓ Checked
    • Name: ThreatListPro
    • Type: URL Table (IPs)
    • Content: https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
    • Update Frequency: 1 day
    • Description: ThreatListPro Malicious IPs
  4. Click Save

Step 3: Create Firewall Rule

  1. Go to Firewall ←’ Rules ←’ WAN
  2. Click Add (top arrow to add at top)
  3. Configure:
    • Action: Block
    • Interface: WAN
    • Source: ThreatListPro (from aliases)
    • Destination: Any
    • Log: ✓ Checked
    • Description: Block ThreatListPro IPs
  4. Click Save
  5. Click Apply Changes

Step 4: Force Initial Update

  1. Go to Firewall ←’ Aliases
  2. Find ThreatListPro in the list
  3. Click the refresh icon to download immediately

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Alias (Recommended)

  1. Go to Firewall ←’ Aliases
  2. Click + to add new alias
  3. Configure:
    • Enabled: ✓ Checked
    • Name: Whitelist_ThreatListPro
    • Type: Host(s)
    • Content: Add each IP: 
      192.0.2.1       # CompanyXYZ VPN - whitelisted 2025-01-15
198.51.100.42   # Partner AWS - whitelisted 2025-01-15
    • Description: "IPs to exclude from ThreatListPro blocks"
  4. Click Save

Method 2: Create Whitelist Rule (Above Block Rule)

  1. Go to Firewall ←’ Rules ←’ WAN
  2. Click Add (top arrow to add at very top)
  3. Configure:
    • Action: Pass
    • Interface: WAN
    • Source: Whitelist_ThreatListPro (from aliases)
    • Destination: Any
    • Log: ✓ Checked
    • Description: "Allow whitelisted IPs - overrides ThreatListPro"
  4. Click Save
  5. Click Apply Changes
  6. Verify rule order: Whitelist rule must be above the ThreatListPro block rule

Quick CLI Method

# SSH to OPNsense (if you have shell access)

# Create whitelist alias via CLI
configctl firewall alias set Whitelist_ThreatListPro type=host content="192.0.2.1,198.51.100.42"

# Reload aliases
configctl firewall alias reload

Verification

# SSH to OPNsense
pfctl -t Whitelist_ThreatListPro -T show

# Expected output: Your whitelisted IPs
# 192.0.2.1
# 198.51.100.42

# Check that whitelist rule is before block rule
pfctl -sr | grep -E "ThreatListPro|Whitelist"

# Test that whitelisted IP can connect
pfctl -vvsr | grep 192.0.2.1
💡 Tip: OPNsense makes it easy to add comments directly in the alias content using #. This helps you document why each IP was whitelisted.

Verification

# SSH to OPNsense
pfctl -t ThreatListPro -T show | wc -l
# Should show ~15000 IPs
✓ Done! OPNsense is now blocking ThreatListPro IPs automatically.

⚠” WatchGuard Firebox

Perfect for: VPN and management access protection

Step 1: Create Blocked Sites List

  1. Open Firewall System Manager
  2. Navigate to Firewall ←’ Blocked Sites
  3. Click Add
  4. Configure:
    • Name: ThreatListPro
    • Type: Custom URL Category
⚠  WatchGuard Limitation: WatchGuard doesn't support dynamic IP list imports in Firebox. Use manual import method:

Manual Import Method

Step 1: Download and Convert List

# On your workstation
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o blocklist.txt

Step 2: Create Address Group in Policy Manager

  1. Open Policy Manager
  2. Go to Setup ←’ Aliases
  3. Click Add ←’ Host
  4. For each IP in blocklist.txt:
    • Add as individual host alias
    • Or group into /24 networks for efficiency
  5. Create alias group: ThreatListPro-Group

Step 3: Create Firewall Policy

  1. Go to Firewall ←’ Firewall Policies
  2. Click Add Policy
  3. Configure:
    • Policy Type: Deny
    • From: External
    • To: Firebox
    • Source: ThreatListPro-Group
    • Destination: Any-External
    • Logging: Enabled
  4. Move to top of policy list
  5. Save policy

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Alias (Recommended)

  1. Open Policy Manager
  2. Go to Setup ←’ Aliases
  3. Click Add ←’ Host
  4. Create alias for each whitelisted IP:
    • Name: Whitelist-CompanyXYZ
    • Type: Host
    • IP Address: 192.0.2.1
    • Description: "Whitelisted 2025-01-15 - CompanyXYZ VPN"
  5. Create alias group:
    • Name: Whitelist-Exceptions
    • Type: Group
    • Members: Add all whitelisted host aliases

Method 2: Create Whitelist Policy (Above Deny Policy)

  1. Go to Firewall ←’ Firewall Policies
  2. Click Add Policy
  3. Configure:
    • Policy Type: Allow
    • From: External
    • To: Firebox (or your internal zone)
    • Source: Whitelist-Exceptions
    • Destination: Any
    • Service: Any
    • Logging: Enabled
    • Description: "Whitelist - Overrides ThreatListPro blocks"
  4. Critical: Move this policy above the ThreatListPro deny policy
  5. Save and apply policy

Method 3: Remove from ThreatListPro-Group

You can also remove the false positive IP directly from ThreatListPro-Group:

  1. Go to Setup ←’ Aliases
  2. Edit ThreatListPro-Group
  3. Remove the specific IP alias from the group
  4. Note: You'll need to repeat after each weekly list update

Verification

  1. In Policy Manager, verify policy order: 
    Policy #1: Whitelist-Exceptions (Allow)
Policy #2: ThreatListPro-Group (Deny)
Policy #3: [other policies...]
  2. Check Traffic Monitor logs
  3. Test connection from whitelisted IP - should see "Allowed" in logs
⚠  Policy Order Critical: WatchGuard processes policies top-to-bottom. The whitelist Allow policy must be above the ThreatListPro Deny policy.
💡 Tip: For large lists (15,000+ IPs), consider using WatchGuard Reputation Enabled Defense (RED) if available in your license.
✓ Done! WatchGuard is blocking ThreatListPro IPs. Update monthly by re-importing.

🛡️ Sophos XG / XGS Firewall

Perfect for: VPN and user portal protection

Step 1: Create Threat Feed

  1. Log into Sophos Firewall web admin
  2. Navigate to System ←’ Threat Feeds
  3. Click Add
  4. Configure:
    • Name: ThreatListPro
    • Type: IP Address
    • Source: External Feed
    • URL: https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt
    • Update Frequency: Daily
    • Action: Deny
  5. Click Save

Step 2: Apply Threat Feed to Firewall Rule

  1. Go to Rules and Policies ←’ Firewall Rules
  2. Edit your WAN-to-LAN or WAN-to-Firewall rule
  3. In Source Networks:
    • Click Add
    • Select Threat Feed
    • Choose ThreatListPro
  4. Set Action: Drop
  5. Enable Log Firewall Traffic
  6. Click Save

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create IP Host Objects and Whitelist Rule (Recommended)

  1. Go to Hosts and Services ←’ IP Host
  2. Click Add for each IP to whitelist
  3. Configure:
    • Name: Whitelist-CompanyXYZ
    • IP Version: IPv4
    • Type: IP
    • IP Address: 192.0.2.1
    • Description: "Whitelisted 2025-01-15 - CompanyXYZ VPN endpoint"
  4. Click Save
  5. Repeat for additional IPs
  6. Create an IP Host Group:
    • Go to Hosts and Services ←’ IP Host Group
    • Name: Whitelist-Exceptions
    • Add Members: Select all whitelisted IP hosts

Method 2: Create Allow Rule (Above Deny Rule)

  1. Go to Rules and Policies ←’ Firewall Rules
  2. Click Add Firewall Rule and position it above your ThreatListPro block rule
  3. Configure:
    • Rule Name: Whitelist-Exceptions
    • Rule Position: Top (or above ThreatListPro rule)
    • Source Zones: WAN
    • Source Networks: Whitelist-Exceptions (IP Host Group)
    • Destination Zones: Any
    • Destination Networks: Any
    • Services: Any
    • Action: Accept
    • Log Firewall Traffic: Enable
  4. Click Save

Alternative: CLI Method

SSH to Sophos XG and configure:

# Create IP host
set system hosts add name Whitelist-CompanyXYZ ipaddress 192.0.2.1 \
    description "Whitelisted 2025-01-15 - CompanyXYZ VPN"

# Create firewall rule
set firewall-rule add position top rulename Whitelist-Exceptions \
    source-zone WAN source Whitelist-CompanyXYZ \
    action accept log enable

Verification

  1. Go to System ←’ Threat Feeds
  2. Check Last Updated timestamp
  3. Go to Rules and Policies ←’ Firewall Rules
  4. Verify whitelist rule is above ThreatListPro rule
  5. Go to Logs ←’ Firewall to see allowed traffic from whitelisted IPs
⚠  Rule Order Matters: Sophos processes firewall rules top-to-bottom. The whitelist Accept rule must be positioned above the ThreatListPro Drop rule.

Alternative: CLI Method

SSH to Sophos XG and configure:

# Enable SSH (if not already enabled)
system access ssh set status enable

# Configure threat feed
set threatfeed add name ThreatListPro type ip \
    url https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt \
    refresh_interval 1440

# Apply to firewall rule
set firewall-rule add source_zone WAN action drop \
    source ThreatListPro log enable

Verification

  1. Go to System ←’ Threat Feeds
  2. Check Last Updated timestamp
  3. Click Update Now to force immediate sync
  4. Go to Logs ←’ Firewall to see blocks
✓ Done! Sophos XG is now blocking ThreatListPro IPs automatically.

🔴 MikroTik RouterOS

Perfect for: VPN and router management protection

Step 1: Create Script to Download List

Connect via WinBox or SSH, then:

Create Import Script

/system script add name=UpdateThreatList source={
    :log info "Downloading ThreatListPro blocklist"
    /tool fetch url="https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt" \
        dst-path=threatlist.txt mode=https
    
    :log info "Clearing old address list"
    /ip firewall address-list remove [find list=ThreatListPro]
    
    :log info "Importing new IPs"
    :local content [/file get threatlist.txt contents]
    :foreach line in=$content do={
        :if ([:len $line] > 0) do={
            /ip firewall address-list add list=ThreatListPro address=$line
        }
    }
    
    :log info "ThreatListPro list updated successfully"
}

Step 2: Create Firewall Rule

/ip firewall filter add chain=input \
    src-address-list=ThreatListPro \
    action=drop \
    comment="Block ThreatListPro IPs" \
    log=yes log-prefix="ThreatListPro-Block"

/ip firewall filter add chain=forward \
    src-address-list=ThreatListPro \
    action=drop \
    comment="Block ThreatListPro IPs Forward" \
    log=yes log-prefix="ThreatListPro-Block"

Step 3: Schedule Auto-Update

/system scheduler add name=UpdateThreatListDaily \
    on-event=UpdateThreatList \
    start-time=03:00:00 \
    interval=1d \
    comment="Update ThreatListPro blocklist daily"

Step 4: Run Initial Update

/system script run UpdateThreatList

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Address List (Recommended)

/ip firewall address-list add list=Whitelist-ThreatListPro \
    address=192.0.2.1 \
    comment="Whitelisted 2025-01-15 - CompanyXYZ VPN"

/ip firewall address-list add list=Whitelist-ThreatListPro \
    address=198.51.100.42 \
    comment="Whitelisted 2025-01-15 - Partner AWS"

Method 2: Create Accept Rules (Before Drop Rules)

# Add whitelist rule BEFORE the drop rules
/ip firewall filter add chain=input \
    src-address-list=Whitelist-ThreatListPro \
    action=accept \
    comment="Allow whitelisted IPs - overrides ThreatListPro" \
    place-before=0

/ip firewall filter add chain=forward \
    src-address-list=Whitelist-ThreatListPro \
    action=accept \
    comment="Allow whitelisted IPs - overrides ThreatListPro" \
    place-before=1
Note: The place-before=0 parameter ensures the whitelist rule is evaluated before the ThreatListPro drop rules.

Method 3: Remove from ThreatListPro Address List

You can remove specific IPs from the ThreatListPro address list:

# Find the address entry
/ip firewall address-list print where address=192.0.2.1

# Remove it (replace # with the actual number from print command)
/ip firewall address-list remove #

# Note: This IP will be re-added on next update, so use Method 1 or 2 instead

Verification

# Check whitelist
/ip firewall address-list print where list=Whitelist-ThreatListPro

# Check filter rules order
/ip firewall filter print

# Expected output:
# 0: Allow Whitelist-ThreatListPro (accept)
# 1: Block ThreatListPro input (drop)
# 2: Block ThreatListPro forward (drop)

# View logs
/log print where message~"ThreatListPro"
⚠  Rule Order Critical: MikroTik processes filter rules top-to-bottom. Use place-before to ensure whitelist accept rules are evaluated before the ThreatListPro drop rules.

Verification

# Check address list
/ip firewall address-list print count-only where list=ThreatListPro

# Check firewall rule
/ip firewall filter print where comment~"ThreatListPro"

# View logs
/log print where message~"ThreatListPro"
⚠  Performance Note: Importing 15,000+ IPs can take 5-10 minutes on older MikroTik hardware. Consider filtering to top 5,000 IPs if needed.
✓ Done! MikroTik is now blocking ThreatListPro IPs with daily auto-updates.

📡 Ubiquiti EdgeRouter

Perfect for: Network edge protection and VPN access control

Step 1: SSH to EdgeRouter

ssh admin@192.168.1.1

Step 2: Create Update Script

configure

# Create network group for blocklist
set firewall group network-group ThreatListPro description "ThreatListPro Blocklist"

commit
save
exit

Step 3: Create Import Script

Create file /config/scripts/update-threatlist.sh:

#!/bin/bash
# ThreatListPro Update Script

BLOCKLIST_URL="https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt"
TEMP_FILE="/tmp/threatlist.txt"
GROUP_NAME="ThreatListPro"

# Download latest list
curl -s "$BLOCKLIST_URL" -o "$TEMP_FILE"

# Remove old entries
vtysh -c "configure terminal" -c "no firewall group network-group $GROUP_NAME"

# Add new entries
vtysh -c "configure terminal" -c "firewall group network-group $GROUP_NAME description 'ThreatListPro Blocklist'"

while IFS= read -r ip; do
    if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        vtysh -c "configure terminal" -c "firewall group network-group $GROUP_NAME network $ip"
    fi
done < "$TEMP_FILE"

# Cleanup
rm -f "$TEMP_FILE"

echo "ThreatListPro list updated: $(date)" >> /var/log/threatlist.log

Step 4: Make Script Executable

chmod +x /config/scripts/update-threatlist.sh

Step 5: Create Firewall Rule

configure

set firewall name WAN_IN rule 1 action drop
set firewall name WAN_IN rule 1 description "Block ThreatListPro IPs"
set firewall name WAN_IN rule 1 log enable
set firewall name WAN_IN rule 1 protocol all
set firewall name WAN_IN rule 1 source group network-group ThreatListPro

commit
save

Step 6: Schedule Auto-Update

configure

set system task-scheduler task update-threatlist executable path /config/scripts/update-threatlist.sh
set system task-scheduler task update-threatlist interval 1d
set system task-scheduler task update-threatlist start-time 03:00

commit
save
exit

Step 7: Run Initial Update

/config/scripts/update-threatlist.sh

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Network Group (Recommended)

configure

# Create whitelist network group
set firewall group network-group Whitelist-ThreatListPro description "Whitelisted IPs - overrides ThreatListPro"
set firewall group network-group Whitelist-ThreatListPro network 192.0.2.1/32
set firewall group network-group Whitelist-ThreatListPro network 198.51.100.42/32

# Create whitelist rule BEFORE block rule (rule 0)
set firewall name WAN_IN rule 0 action accept
set firewall name WAN_IN rule 0 description "Allow whitelisted IPs - overrides ThreatListPro"
set firewall name WAN_IN rule 0 log enable
set firewall name WAN_IN rule 0 protocol all
set firewall name WAN_IN rule 0 source group network-group Whitelist-ThreatListPro

commit
save

Method 2: Add Whitelist Script

Create /config/scripts/whitelist-threatlist.sh:

#!/bin/bash
# Add whitelisted IPs

vtysh -c "configure terminal" -c "firewall group network-group Whitelist-ThreatListPro description 'Whitelisted IPs'"
vtysh -c "configure terminal" -c "firewall group network-group Whitelist-ThreatListPro network 192.0.2.1/32"
vtysh -c "configure terminal" -c "firewall group network-group Whitelist-ThreatListPro network 198.51.100.42/32"

echo "Whitelist updated: $(date)" >> /var/log/threatlist.log

Make executable and run:

chmod +x /config/scripts/whitelist-threatlist.sh
/config/scripts/whitelist-threatlist.sh

Verification

# Show whitelist network group
show firewall group network-group Whitelist-ThreatListPro

# Show firewall rules (whitelist should be rule 0, block should be rule 1)
show firewall name WAN_IN

# Expected output:
# rule 0 {
#     action accept
#     description "Allow whitelisted IPs"
#     source { group { network-group Whitelist-ThreatListPro } }
# }
# rule 1 {
#     action drop
#     description "Block ThreatListPro IPs"
#     source { group { network-group ThreatListPro } }
# }

# View logs
tail -f /var/log/messages | grep ThreatListPro
⚠  Rule Order Critical: EdgeRouter processes firewall rules by rule number. The whitelist rule (rule 0) must have a lower number than the ThreatListPro block rule (rule 1).

Verification

# Check network group
show firewall group network-group ThreatListPro

# Check firewall rules
show firewall name WAN_IN

# View logs
tail -f /var/log/messages | grep ThreatListPro
✓ Done! EdgeRouter is now blocking ThreatListPro IPs with daily updates.

🌐 Juniper SRX

Perfect for: Enterprise firewall and VPN protection

Method 1: Using Dynamic Address Groups (Junos 15.1X49+)

Step 1: Configure Dynamic Address Feed

configure

# Create security feed
set security threat-intelligence url https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt \
    category ThreatListPro \
    interval 3600

# Create address entry from feed
set security address-book global address-set ThreatListPro \
    address-set-type feed-name ThreatListPro

commit

Step 2: Create Security Policy

# Deny traffic from ThreatListPro IPs
set security policies from-zone untrust to-zone trust policy block-threats \
    match source-address ThreatListPro \
    match destination-address any \
    match application any \
    then deny \
    then log session-close

commit and-quit

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist Address Set (Recommended)

configure

# Create individual addresses for whitelisted IPs
set security address-book global address Whitelist-CompanyXYZ-VPN 192.0.2.1/32
set security address-book global address Whitelist-Partner-AWS 198.51.100.42/32

# Create address set grouping all whitelisted IPs
set security address-book global address-set Whitelist-Exceptions address Whitelist-CompanyXYZ-VPN
set security address-book global address-set Whitelist-Exceptions address Whitelist-Partner-AWS

# Create allow policy for whitelisted IPs (BEFORE deny policy)
set security policies from-zone untrust to-zone trust policy allow-whitelist \
    match source-address Whitelist-Exceptions \
    match destination-address any \
    match application any \
    then permit \
    then log session-init session-close

# Move whitelist policy before block policy
insert security policies from-zone untrust to-zone trust policy allow-whitelist before policy block-threats

commit and-quit

Method 2: Using Address Book with Descriptions

configure

# Create whitelisted addresses with descriptions
set security address-book global address Whitelist-CompanyXYZ 192.0.2.1/32 description "Whitelisted 2025-01-15 - CompanyXYZ VPN"
set security address-book global address Whitelist-PartnerAWS 198.51.100.42/32 description "Whitelisted 2025-01-15 - Partner AWS"

# Create address set
set security address-book global address-set Whitelist-All address Whitelist-CompanyXYZ
set security address-book global address-set Whitelist-All address Whitelist-PartnerAWS

# Create security policy
set security policies from-zone untrust to-zone trust policy whitelist-allow \
    match source-address Whitelist-All \
    match destination-address any \
    match application any \
    then permit \
    then log session-close

# Ensure this policy is evaluated first
insert security policies from-zone untrust to-zone trust policy whitelist-allow before policy 1

commit and-quit

Verification

# Show address book entries
show security address-book global | match Whitelist

# Expected output:
# Whitelist-CompanyXYZ          192.0.2.1/32
# Whitelist-PartnerAWS           198.51.100.42/32

# Show address set
show security address-book global address-set Whitelist-Exceptions

# Show security policies
show security policies

# Expected: whitelist-allow policy appears before block-threats policy

# Monitor traffic from whitelisted IPs
show security flow session source-prefix 192.0.2.1/32

# Check logs
show log messages | match Whitelist
⚠  Policy Order Critical: Juniper SRX evaluates security policies sequentially. Use the insert...before command to ensure the whitelist permit policy is evaluated before the ThreatListPro deny policy.

Method 2: Manual Static Lists (All Junos Versions)

Step 1: Download and Convert List

# On management station
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o blocklist.txt

# Convert to Junos format
awk '{print "set security address-book global address IP-"NR" " $1 "/32"}' blocklist.txt > junos-commands.txt
echo "set security address-book global address-set ThreatListPro" >> junos-commands.txt
awk '{print "set security address-book global address-set ThreatListPro address IP-"NR}' blocklist.txt >> junos-commands.txt

Step 2: Load Configuration

configure
load set terminal
# Paste contents of junos-commands.txt here
commit and-quit

Step 3: Apply to Security Policy

configure

set security policies from-zone untrust to-zone trust policy block-threatlist \
    match source-address ThreatListPro \
    match destination-address any \
    match application any \
    then deny \
    then log session-init session-close

# Move to top of policy list
insert security policies from-zone untrust to-zone trust policy block-threatlist before policy 1

commit and-quit

Verification

# Show address entries
show security address-book global

# Show security policy
show security policies

# Monitor blocked traffic
show security flow session | match ThreatListPro
💡 Performance Tip: For large lists, consider using Juniper's Secure Intelligence (SecIntel) feature if available in your license.
✓ Done! Juniper SRX is now blocking ThreatListPro IPs.

🐧 Linux (iptables/nftables)

Perfect for: Linux servers, VPS, and custom firewall solutions

Method 1: Using ipset (Recommended - High Performance)

Step 1: Install ipset

# Debian/Ubuntu
sudo apt-get update
sudo apt-get install ipset curl

# CentOS/RHEL
sudo yum install ipset curl

# Arch Linux
sudo pacman -S ipset curl

Step 2: Create Update Script

Create /usr/local/bin/update-threatlist.sh:

#!/bin/bash
# ThreatListPro Update Script for Linux

BLOCKLIST_URL="https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt"
IPSET_NAME="threatlistpro"
TEMP_FILE="/tmp/threatlist.txt"

# Create ipset if doesn't exist
ipset list $IPSET_NAME &>/dev/null || ipset create $IPSET_NAME hash:ip maxelem 20000

# Download latest list
curl -s "$BLOCKLIST_URL" -o "$TEMP_FILE"

if [ $? -eq 0 ]; then
    # Create temporary ipset
    ipset create ${IPSET_NAME}_temp hash:ip maxelem 20000
    
    # Load IPs into temporary set
    while IFS= read -r ip; do
        if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            ipset add ${IPSET_NAME}_temp $ip -exist
        fi
    done < "$TEMP_FILE"
    
    # Swap sets atomically
    ipset swap ${IPSET_NAME}_temp $IPSET_NAME
    ipset destroy ${IPSET_NAME}_temp
    
    echo "$(date): ThreatListPro list updated successfully" >> /var/log/threatlist.log
else
    echo "$(date): Failed to download ThreatListPro list" >> /var/log/threatlist.log
fi

rm -f "$TEMP_FILE"

Step 3: Make Script Executable

sudo chmod +x /usr/local/bin/update-threatlist.sh

Step 4: Create iptables Rules

# Block incoming traffic from ThreatListPro IPs
sudo iptables -I INPUT -m set --match-set threatlistpro src -j DROP
sudo iptables -I FORWARD -m set --match-set threatlistpro src -j DROP

# Save rules (Debian/Ubuntu)
sudo iptables-save > /etc/iptables/rules.v4

# Save rules (CentOS/RHEL)
sudo service iptables save

Step 5: Schedule Auto-Update

# Add to crontab
sudo crontab -e

# Add this line (update daily at 3 AM)
0 3 * * * /usr/local/bin/update-threatlist.sh

Step 6: Run Initial Update

sudo /usr/local/bin/update-threatlist.sh

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist ipset (Recommended)

# Create whitelist ipset
sudo ipset create whitelist-threatlistpro hash:ip

# Add whitelisted IPs
sudo ipset add whitelist-threatlistpro 192.0.2.1 -exist
sudo ipset add whitelist-threatlistpro 198.51.100.42 -exist

# Create iptables rule to accept whitelisted IPs BEFORE drop rules
sudo iptables -I INPUT 1 -m set --match-set whitelist-threatlistpro src -j ACCEPT
sudo iptables -I FORWARD 1 -m set --match-set whitelist-threatlistpro src -j ACCEPT

# Save rules
sudo iptables-save > /etc/iptables/rules.v4  # Debian/Ubuntu
sudo service iptables save  # CentOS/RHEL

Method 2: Create Whitelist Script

Create /usr/local/bin/whitelist-threatlist.sh:

#!/bin/bash
# Whitelist IPs for ThreatListPro

WHITELIST_SET="whitelist-threatlistpro"

# Create whitelist set if it doesn't exist
ipset list $WHITELIST_SET &>/dev/null || ipset create $WHITELIST_SET hash:ip

# Add whitelisted IPs with comments
ipset add $WHITELIST_SET 192.0.2.1 -exist comment "CompanyXYZ VPN - whitelisted 2025-01-15"
ipset add $WHITELIST_SET 198.51.100.42 -exist comment "Partner AWS - whitelisted 2025-01-15"

echo "$(date): Whitelist updated" >> /var/log/threatlist.log

Make executable and run:

sudo chmod +x /usr/local/bin/whitelist-threatlist.sh
sudo /usr/local/bin/whitelist-threatlist.sh

Method 3: Remove from ThreatListPro ipset

# Remove specific IP from blocklist
sudo ipset del threatlistpro 192.0.2.1

# Note: This IP will be re-added on next update
# Use Method 1 or 2 for permanent whitelisting

Verification

# Check whitelist ipset
sudo ipset list whitelist-threatlistpro

# Check iptables rules order
sudo iptables -L INPUT -v -n --line-numbers | head -20

# Expected output:
# 1    ACCEPT     all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set whitelist-threatlistpro src
# 2    DROP       all  --  *  *  0.0.0.0/0  0.0.0.0/0  match-set threatlistpro src

# Test connection from whitelisted IP
# (Connection should be allowed)

# View logs
sudo tail -f /var/log/syslog | grep "DROP"
⚠  Rule Order Critical: iptables processes rules top-to-bottom. Use -I INPUT 1 to insert the whitelist ACCEPT rule at the very top, before the ThreatListPro DROP rule.

Method 2: Using nftables (Modern Alternative)

For systems using nftables instead of iptables:

# Install nftables
sudo apt-get install nftables

# Create set
sudo nft add table inet filter
sudo nft add set inet filter threatlistpro { type ipv4_addr\; flags interval\; }

# Add rule
sudo nft add rule inet filter input ip saddr @threatlistpro drop
sudo nft add rule inet filter forward ip saddr @threatlistpro drop

# Load IPs
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt | \
    while read ip; do
        sudo nft add element inet filter threatlistpro { $ip }
    done

# Save configuration
sudo nft list ruleset > /etc/nftables.conf

Verification

# Check ipset
sudo ipset list threatlistpro | head -20

# Count IPs in set
sudo ipset list threatlistpro | grep -c "^[0-9]"

# Check iptables rules
sudo iptables -L INPUT -v -n | grep threatlistpro

# View logs
sudo tail -f /var/log/syslog | grep "DROP"
💡 Performance: Using ipset is highly efficient - no performance impact even with 15,000+ IPs.
✓ Done! Linux firewall is now blocking ThreatListPro IPs with daily auto-updates.

🪟 Windows Firewall (Windows Defender)

Perfect for: Windows Server RDP protection and VPN access

Method 1: Using PowerShell Script (Recommended)

Step 1: Create Update Script

Create C:\Scripts\Update-ThreatList.ps1:

# ThreatListPro Update Script for Windows Firewall
# Save as: C:\Scripts\Update-ThreatList.ps1

$BlocklistURL = "https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt"
$RuleName = "Block ThreatListPro IPs"
$TempFile = "$env:TEMP\threatlist.txt"

# Download blocklist
try {
    Invoke-WebRequest -Uri $BlocklistURL -OutFile $TempFile -UseBasicParsing
    Write-Host "Downloaded ThreatListPro blocklist successfully"
} catch {
    Write-Error "Failed to download blocklist: $_"
    exit 1
}

# Read IPs
$IPs = Get-Content $TempFile | Where-Object { $_ -match '^\d+\.\d+\.\d+\.\d+ }

# Remove old rule if exists
$ExistingRule = Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue
if ($ExistingRule) {
    Remove-NetFirewallRule -DisplayName $RuleName
    Write-Host "Removed old firewall rule"
}

# Create new blocking rule
# Note: Windows Firewall has a limit of ~1000 IPs per rule
# We'll create multiple rules in batches of 1000

$BatchSize = 1000
$BatchNumber = 1

for ($i = 0; $i -lt $IPs.Count; $i += $BatchSize) {
    $Batch = $IPs[$i..([Math]::Min($i + $BatchSize - 1, $IPs.Count - 1))]
    
    $RuleNameBatch = "$RuleName - Batch $BatchNumber"
    
    New-NetFirewallRule -DisplayName $RuleNameBatch `
        -Direction Inbound `
        -Action Block `
        -RemoteAddress $Batch `
        -Protocol Any `
        -Profile Any `
        -Enabled True `
        -Description "ThreatListPro malicious IPs - Batch $BatchNumber"
    
    Write-Host "Created rule batch $BatchNumber with $($Batch.Count) IPs"
    $BatchNumber++
}

# Cleanup
Remove-Item $TempFile -Force

Write-Host "ThreatListPro blocklist updated successfully"
Add-Content -Path "C:\Scripts\threatlist.log" -Value "$(Get-Date): Updated $($IPs.Count) IPs"

Step 2: Run Script as Administrator

# Open PowerShell as Administrator
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

# Create scripts directory
New-Item -ItemType Directory -Path "C:\Scripts" -Force

# Run the script
C:\Scripts\Update-ThreatList.ps1

Step 3: Schedule Auto-Update with Task Scheduler

# Create scheduled task via PowerShell
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
    -Argument "-NoProfile -ExecutionPolicy Bypass -File C:\Scripts\Update-ThreatList.ps1"

$Trigger = New-ScheduledTaskTrigger -Daily -At 3:00AM

$Principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Update ThreatListPro Blocklist" `
    -Action $Action `
    -Trigger $Trigger `
    -Principal $Principal `
    -Settings $Settings `
    -Description "Updates ThreatListPro IP blocklist daily"

🔓 Whitelisting IPs (Excluding False Positives)

Method 1: Create Whitelist PowerShell Script (Recommended)

Create C:\Scripts\Whitelist-ThreatList.ps1:

# ThreatListPro Whitelist Script for Windows Firewall

$WhitelistRuleName = "Allow ThreatListPro Whitelist"

# Define whitelisted IPs
$WhitelistedIPs = @(
    "192.0.2.1",       # CompanyXYZ VPN - whitelisted 2025-01-15
    "198.51.100.42"    # Partner AWS - whitelisted 2025-01-15
)

# Remove old whitelist rule if exists
$ExistingRule = Get-NetFirewallRule -DisplayName $WhitelistRuleName -ErrorAction SilentlyContinue
if ($ExistingRule) {
    Remove-NetFirewallRule -DisplayName $WhitelistRuleName
    Write-Host "Removed old whitelist rule"
}

# Create whitelist allow rule (must be processed before block rules)
New-NetFirewallRule -DisplayName $WhitelistRuleName `
    -Direction Inbound `
    -Action Allow `
    -RemoteAddress $WhitelistedIPs `
    -Protocol Any `
    -Profile Any `
    -Enabled True `
    -Description "Whitelisted IPs that override ThreatListPro blocks"

Write-Host "Whitelist rule created with $($WhitelistedIPs.Count) IPs"

# Log the change
Add-Content -Path "C:\Scripts\threatlist.log" -Value "$(Get-Date): Whitelist updated"

Run the script:

# Open PowerShell as Administrator
C:\Scripts\Whitelist-ThreatList.ps1

Method 2: GUI Method (Manual)

  1. Open Windows Defender Firewall with Advanced Security
  2. Right-click Inbound Rules ←’ New Rule
  3. Select Custom ←’ Next
  4. Select All programs ←’ Next
  5. Protocol type: Any ←’ Next
  6. Under Scope:
    • Remote IP addresses: These IP addresses
    • Click Add and enter: 192.0.2.1
    • Repeat for additional IPs
  7. Action: Allow the connection ←’ Next
  8. Apply to: All profiles ←’ Next
  9. Name: Allow ThreatListPro Whitelist ←’ Finish
  10. Critical: Drag this rule to the top of the Inbound Rules list

Method 3: Remove IPs from Block Rules

You can edit individual ThreatListPro block rules to exclude specific IPs:

# List all ThreatListPro rules
Get-NetFirewallRule -DisplayName "Block ThreatListPro*" | Format-Table

# Get address filter for a specific rule
Get-NetFirewallRule -DisplayName "Block ThreatListPro IPs - Batch 1" | Get-NetFirewallAddressFilter

# Remove IP from rule (not recommended - use whitelist instead)
# This is complex and must be done for each batch rule

Verification

# Check whitelist rule exists
Get-NetFirewallRule -DisplayName "Allow ThreatListPro Whitelist" | Format-Table

# Check rule details
Get-NetFirewallRule -DisplayName "Allow ThreatListPro Whitelist" | Get-NetFirewallAddressFilter

# Expected output: RemoteAddress should show your whitelisted IPs

# View all ThreatListPro related rules
Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*ThreatListPro*" } | Format-Table DisplayName, Action

# Expected output:
# Allow ThreatListPro Whitelist       Allow
# Block ThreatListPro IPs - Batch 1   Block
# Block ThreatListPro IPs - Batch 2   Block

# Test connection from whitelisted IP
# Connection should be allowed

# View Windows Firewall logs (if enabled)
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" -MaxEvents 20
⚠  Rule Order Matters: Windows Firewall evaluates Allow rules before Block rules by default. However, it's best practice to ensure your whitelist Allow rule appears at the top of the Inbound Rules list for clarity.
💡 Tip: To add more whitelisted IPs, simply edit the $WhitelistedIPs array in the PowerShell script and run it again. The script will recreate the rule with all IPs.

Method 2: Manual GUI Configuration (Small Lists)

For smaller lists or testing:

  1. Open Windows Defender Firewall with Advanced Security
  2. Right-click Inbound Rules ←’ New Rule
  3. Select Custom ←’ Next
  4. Select All programs ←’ Next
  5. Protocol type: Any ←’ Next
  6. Under Scope:
    • Remote IP addresses: These IP addresses
    • Click Add and paste IPs (max 1000)
  7. Action: Block the connection ←’ Next
  8. Apply to: All profiles ←’ Next
  9. Name: Block ThreatListPro IPs ←’ Finish

Verification

# Check firewall rules
Get-NetFirewallRule -DisplayName "Block ThreatListPro*" | Format-Table

# Count blocked IPs
(Get-NetFirewallRule -DisplayName "Block ThreatListPro*" | Get-NetFirewallAddressFilter).RemoteAddress.Count

# View logs
Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" -MaxEvents 20
⚠  Windows Limitation: Windows Firewall has a limit of ~1000 IPs per rule. The script automatically creates multiple rules in batches.
✓ Done! Windows Firewall is now blocking ThreatListPro IPs with daily auto-updates.

🌐 Generic / Universal Method

For any firewall not listed above

Overview

If your firewall isn't listed, follow this universal approach that works with most firewall systems:

Step 1: Understand Your Blocklist URL

https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt

Format: Plain text, one IPv4 address per line

Example content:

192.0.2.1
192.0.2.15
198.51.100.42
203.0.113.7

Step 2: Check Your Firewall's Capabilities

Your firewall likely supports ONE of these methods:

Option A: Dynamic List Import (Best)

Look for features named:

If found: Simply paste your ThreatListPro URL and set update frequency to daily/hourly.

Option B: Address Group Import (Common)

Download the list and import manually:

# Download list
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o blocklist.txt

# Or on Windows:
Invoke-WebRequest -Uri "https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt" -OutFile blocklist.txt

Then import via your firewall's GUI:

  1. Create new Address Object/Group
  2. Import from file (blocklist.txt)
  3. Create deny/drop rule using this group

Option C: Manual Entry (Last Resort)

For firewalls without import:

  1. Download the list
  2. Create individual address entries for top 100-500 IPs
  3. Group them together
  4. Create block rule

Step 3: Create Firewall Rule

Regardless of method, create a rule with these settings:

🔓 Whitelisting IPs (Universal Method)

General Approach for All Firewalls

Regardless of your firewall platform, follow these universal steps:

Step 1: Create Whitelist Address Object/Group

  1. Navigate to your firewall's address management section (usually "Objects," "Addresses," or "Hosts")
  2. Create individual address objects for each whitelisted IP:
    • Name: Whitelist-CompanyXYZ
    • Type: Host or IP Address
    • Value: 192.0.2.1 (or /32 for CIDR)
    • Description: "Whitelisted 2025-01-15 - Reason"
  3. Create a group/collection containing all whitelisted addresses:
    • Name: Whitelist-Exceptions
    • Members: All whitelisted address objects

Step 2: Create Whitelist Rule (ABOVE Block Rule)

  1. Navigate to your firewall's rule/policy section
  2. Create a new rule with these settings:
    • Name: Allow-Whitelist-Exceptions
    • Position: ABOVE the ThreatListPro block rule
    • Source: Whitelist-Exceptions group
    • Destination: Any
    • Service: Any
    • Action: Allow / Accept / Permit
    • Logging: Enabled
  3. Critical: Move this rule ABOVE the ThreatListPro block rule

Step 3: Verify Rule Order

Ensure your rules are in this order (top to bottom):

1. Allow-Whitelist-Exceptions (Action: Allow)
2. Block-ThreatListPro (Action: Deny/Drop)
3. [Other rules...]

Alternative: Remove from Blocklist Group

Some firewalls allow editing the address group directly:

  1. Edit the ThreatListPro address group/object
  2. Remove the specific false positive IP
  3. Downside: Must repeat after each weekly update
  4. Recommendation: Use whitelist rule method instead

Common Verification Steps

  1. Check Rule Order: Whitelist rule appears before block rule
  2. Test Connection: Try accessing from whitelisted IP - should succeed
  3. Check Logs: Look for "Allow" or "Permit" entries for whitelisted IPs
  4. Verify Group Membership: Confirm IPs are in whitelist group
⚠  Universal Rule: In ALL firewall platforms, rule order matters. The whitelist Allow/Accept rule must be evaluated BEFORE the ThreatListPro Block/Deny rule. This is typically achieved by placing it higher in the rule list.

Step 4: Automate Updates (Optional)

Using Cron (Linux/Unix systems):

# Create update script
cat > /usr/local/bin/update-blocklist.sh << 'EOF'
#!/bin/bash
curl https://api.threatlistpro.com/v1/YOUR_API_KEY/blocklist.txt -o /tmp/blocklist.txt
# Add your firewall-specific import commands here
EOF

chmod +x /usr/local/bin/update-blocklist.sh

# Schedule daily
crontab -e
# Add: 0 3 * * * /usr/local/bin/update-blocklist.sh

Using Task Scheduler (Windows):

  1. Create PowerShell script to download list
  2. Add firewall import commands
  3. Schedule via Task Scheduler (daily)

Common Firewall Terminology Mapping

Generic Term Your Firewall Might Call It...
IP Blocklist Address Object, Network Object, Host Group, IP Group
Block Rule Security Policy, Access Rule, Filter Rule, ACL
External List Threat Feed, Dynamic List, URL Category, Feed Source
Deny Action Drop, Reject, Block, Discard
Whitelist Exception List, Allow List, Permit List, Exclusions

Testing Your Configuration

  1. Verify list imported: Check your firewall's address objects/groups
  2. Verify rule created: Check rule list shows your block rule
  3. Test blocking: Try accessing from a test IP in the list (safely)
  4. Check logs: Monitor firewall logs for blocks
  5. Test whitelist: Verify whitelisted IPs can connect successfully

Need Specific Help?

Email us with:

We'll provide custom instructions within 24 hours!

📧 Support: support@threatlistpro.com

Need Help?

Can't find your firewall? Need specific assistance?

Email: support@threatlistpro.com

Response Time: Within 24 hours

We're here to help you get protected quickly!