ELLIO Blocklist Automation
Blocklist Automation is the part of ELLIO that turns threat intelligence into something a firewall can act on. You assemble an EDL Deployment from up to four source types, pick a firewall format, and the platform serves a dynamic URL your firewall fetches on its own schedule.
Where to start
| Page | When to read |
|---|---|
| Quickstart - first blocklist | First time. Shows the whole flow end-to-end. |
| EDL Deployment lifecycle | After the quickstart. The full reference for creating, managing, and updating deployments. |
| Firewall format guide | Picking the right format for your device. Covers all 10 supported firewall types. |
| Include / exclude logic | When the EDL behaves in an unexpected way. Explains how the 4 source types interact. |
| Sources reference | The atlas of every source you can include or exclude. |
| Traefik plugin guide | If you use Traefik instead of a traditional firewall. |
| Blocklist API | Programmatic ruleset and rule management. |
The four source types
Every EDL Deployment is built from these four building blocks:
- ELLIO Threat Lists - managed lists of threat IPs (MAX 659K, RDP 60K, 250K, 100K) and 15 RECON lists (scanner IP catalogues per provider - Censys, Shodan, Shadowserver, BinaryEdge, Cortex Xpanse…).
- Common Business Services - curated IP ranges for major cloud providers, CDNs, ISPs, security services, SaaS, and crawlers. Use them to allow trusted infrastructure or to block specific bot families.
- My External IP Lists - bring-your-own external blocklist URLs (BYOIPB). ELLIO fetches them on a schedule and merges them into your EDL.
- My IP Rulesets - your own per-IP rules, with optional expiry, organised into reusable allowlist or blocklist rulesets.
Two trial periods
A new ELLIO workspace gets a 7-day trial of both Threat Intelligence and Blocklist Automation independently. The countdowns are visible at the top of each section in the sidebar. Reach out via the Talk to us link before the trial ends to keep access.
Where the EDL goes after creation
Once a deployment is created the platform exposes a stable URL your firewall fetches on its own schedule. You can refresh the EDL content as often as every 5 minutes or as rarely as every 24 hours, depending on plan and need. Most production deployments use the 5- to 60-minute window.
The format of the URL response depends on the firewall format you chose (plain IP-per-line, CIDR, Check Point CIF, F5 IP Address Intelligence, etc.). See the firewall format guide for the full table.