SonicOS 8: IOC FAQ
Description
Indicator of Compromise - IP Address Detection
What is IoC IP detection and how is it different from a standard IP blocklist?
Indicator of Compromise (IoC) IP detection allows the firewall to match traffic against a list of known malicious IP addresses supplied by the administrator from an external threat intelligence source. The key difference from a traditional blocklist is how the list is loaded and applied: rather than creating individual firewall address objects for each IP, administrators configure a source URL in the External Files tab. The firewall downloads the IP list from that URL, using HTTPS or another supported protocol, and can be set to refresh it automatically at a defined interval, keeping the list current without manual intervention.
Does IoC detection only apply to traffic coming in from the internet?
IoC detection applies to connections involving public, externally routed IP addresses. Inbound enforcement stops known malicious sources from reaching internal resources. Outbound enforcement blocks connections to known command-and-control (C2) servers and other malicious destinations. The feature is designed to act on external threat indicators, not internal lateral movement paths. When configured in Firewall Rule-based Connections mode, IoC enforcement is applied selectively per access rule, giving administrators control over which traffic flows are subject to IoC checking.
Where do the IP addresses in the IoC list come from, does SonicWall provide them?
No. SonicWall does not provide the IP list. The administrator is responsible for sourcing IP addresses from an external threat intelligence provider, such as a commercial subscription (e.g., Recorded Future, CrowdStrike, Abuse.ch), an open-source feed, or an internally curated list from the organization’s security operations team. The source is configured in the External Files tab: the administrator enters a name, selects the protocol (such as HTTPS), and provides the URL pointing to the feed. The firewall downloads the file from that URL and can be enabled to refresh it periodically, ensuring the IoC list stays current automatically.
What action does the firewall take when an IoC match is found, is traffic blocked automatically?
When IoC detection is enabled, and a connection matches an IP address in the IP file that is enforced, the firewall blocks the connection.
The scope of enforcement is configurable: All Connections mode applies IoC checking globally to all traffic passing through the firewall; Firewall Rule-based Connections mode applies it selectively, only on traffic matched by firewall rules that have IoC checking enabled in their Security Profile. Within a rule’s Security Profile, Global mode uses the global IoC configuration, while Custom mode allows rule-specific settings to be applied per rule. Logging can be enabled independently. A block page can also be enabled to display a notification to users whose browser-based connections are blocked, with customizable alert text.
How does IoC detection relate to Geo-IP filtering?
Geo-IP filtering blocks or permits traffic based on the geographic origin of an IP address. IoC detection is more targeted, it acts on IP addresses specifically flagged as threat actor infrastructure, regardless of where they are geographically located. A command-and-control server hosted in a country not blocked by Geo-IP policy would still be caught by IoC detection if its IP appears in the administrator’s IoC list. The two features complement each other and can be used simultaneously.
Does enabling IoC detection have a performance impact on the firewall?
IoC list lookups are performed in-line with traffic inspection but are designed to be low-overhead. The feed data is cached locally on the firewall and refreshed automatically from the configured source URL at the defined download interval, so matches do not require a network lookup for every packet. The performance impact depends on traffic volume and the number of active feed entries, but for most deployments the impact is negligible compared to the overall DPI inspection load.
How can I verify that the IoC list has loaded correctly and that the feature is actively evaluating traffic?
The Diagnostics tab in the IoC settings displays real-time statistics: the number of entries loaded from the configured source, the number of times the inspection engine has called the IoC lookup function, the number of lookups that returned no match, and the number of times a match was resolved. A non-zero entry count confirms that the list has been downloaded and loaded successfully. The Diagnostics tab also includes a Check IoC IP Addresses lookup tool, which allows administrators to enter a specific IP address and immediately test whether it is present in the loaded list.
What file format is required for the external IoC IP list?
A plain text (.txt) file is the preferred format for the external IoC IP list. Each IP address must appear on its own line with no additional formatting, headers, or delimiters. The firewall downloads the file from the configured URL and parses it line by line to build the in-memory blocklist. Using a clean, single-column .txt file ensures reliable parsing and reduces the risk of malformed entries being skipped or causing load failures.
File encoding: UTF-8 encoding is recommended. Note that any other encoding may not besupported and may result in a file format error. To avoid load failures, it is advisable to use a plain ASCII character set with no special characters and verify the file encoding before hosting it on your web server.
From where can I find the guide for Indicator of Compromise?
Availability Note:
This feature is supported on GEN8 platforms running SonicOS 8.2.1 and later. It is not available on GEN7 platforms, regardless of SonicOS firmware version.
