In the simplest terms, there are providers and subscribers of our threat intelligence data.
A provider is an organization that has a set of data that they are interested in sharing with other Cloudflare organizations. Any organization can be a provider. Examples of current providers are Government Cyber Defense groups.
Subscribers can be any Cloudflare customer that wants to secure their environment further by creating rules based on provider datasets. Subscribers must be authorized by a provider. Authorization is granted using the .
If your organization has interest in becoming a provider or a subscriber, please reach out to your account team, who will help facilitate the required authorization.
After a feed is created, you can upload data to it. Uploading data to a feed is done through the . They are called snapshots because if a provider needs to update their feed with new data, they must upload a file containing all previous and new indicators.
- Finally, in order to grant access to a subscriber, any administrator of the account that owns the feed must add the subscribers
account_tagto the feeds allowed subscribers list. This can be done using the .
Using a feed in Gateway
Once an account is granted access to a feed, it will be available as a selectable item in Gateway.
- Open your Zero Trust account.
- Select Gateway > Firewall Policies and create a new DNS policy by selecting Add a policy.
- Name your policy, add a Traffic Condition and select the Indicator Feeds from the selector dropdown.
If your accounty has been granted access to a Custom Indicator Feed, it will listed in the Value dropdown.