Creating Your First Custom Blocklist
With ELLIO Blocklist Automation you can create and manage custom IP feeds to block active malicious traffic, including IPs involved in mass exploitation and unwanted reconnaissance activity.
This guide walks you through creating your first custom blocklist.
Getting Started
Open the ELLIO Platform, go to My EDL Deployments, and click Create EDL Deployment.
Blocklist Basics
Configure the core properties of your blocklist:
- Name - a descriptive name for the blocklist.
- Firewall format - the output format matching the firewall or system that will consume the list. See Supported firewall formats below for the full list.
- Update frequency - how often the EDL content is regenerated. Options depend on your plan and range from every few minutes up to once a day.
- Purpose - metadata indicating whether the list is used for blocking or allowing traffic. It helps your team quickly find blocklists and allowlists in the platform and has no effect on the generated content.
- Traffic direction - metadata indicating whether the list is intended for ingress or egress traffic. It is used by your team to identify the list's direction and has no effect on the generated content. ELLIO Threat Lists are designed for ingress blocking.
IP Sources
IP sources are the curated ELLIO feeds that populate your blocklist. For each source you can choose:
- Include - the source's IPs are added to the blocklist.
- Exclude - the source's IPs are guaranteed never to appear on the blocklist, even if they match another included source.
Common ELLIO IP Sources:
- ELLIO Threat List Max - the largest ELLIO IP feed, covering a broad range of active malicious activity observed across the ELLIO Deception Network.
- ELLIO Threat List RDP - IPs targeting remote access services such as RDP and VNC. Useful when exposing remote access to the internet.
Additional threat lists are available in the platform for specific scopes, such as protocol-focused feeds or targeted categories.
Recon Lists
Recon lists group IPs involved in reconnaissance activity, such as internet-wide scanning, vulnerability probing, and attack surface mapping.
- Include - traffic from those IPs is blocked.
- Exclude - those IPs are guaranteed to never be blocked. This is useful for sources you want to keep reachable, such as your own external attack surface management (EASM) tooling.
Exclusions always take priority over inclusions. ELLIO keeps the underlying IP ranges up to date automatically, so you do not need to track scanner IP changes yourself.
Common Business Services
Common Business Services let you control traffic from well-known SaaS, cloud, CDN, crawler, and bot providers based on their IP ranges. IP ranges for each service are updated automatically.
For each service you can choose:
- Include - traffic from that provider's IP ranges is blocked.
- Exclude - traffic from that provider's IP ranges is allowed through and will never be blocked by this EDL.
Typical uses:
- Exclude a CDN so your services stay reachable when traffic is proxied through it.
- Exclude SaaS services your organization depends on, such as Microsoft 365 or Google Workspace.
- Include crawlers and bots you do not want hitting your services, or exclude ones you want to keep allowed (for example, search engine crawlers).
Providers range from cloud platforms to internet and security services, so you can make the selection as broad or as narrow as needed.
IP Rulesets
IP rulesets are your own custom collections of IP rules managed in the ELLIO platform. For each ruleset you can choose:
- Include - the ruleset's IPs are added to the blocklist.
- Exclude - the ruleset's IPs are kept off the blocklist.
Any change you make in a ruleset is reflected in the generated EDL on the next update cycle. You can add or remove rulesets at any time, including after the blocklist is already connected to your firewall.
Review and Create
The Summary view shows every source, exclusion, and ruleset that will be included in the blocklist. Review the configuration and click Create.
After a few seconds the blocklist is ready and you receive a URL to use as an External Dynamic List in your firewall. The firewall fetches the list on its own schedule and applies it for IP blocking.
Supported firewall formats
ELLIO generates the EDL in the format required by each firewall or system. Select the format that matches the device that will consume the list.
| Format | Description | CIDR | IPv6 | Notes |
|---|---|---|---|---|
| Palo Alto Networks | Industry-standard EDL format, one IP or CIDR per line. | Yes | Yes | Recommended for Palo Alto Networks firewalls. |
| Fortinet FortiGate | External threat feed format, one IP or CIDR per line. | Yes | Yes | Lists larger than 130k entries are chunked automatically. |
| Check Point | Custom Intelligence Feed format: ID,IP,type,confidence,severity,product,comment. | Yes | Yes | Used by Check Point NGFW. |
| Cisco Secure Firewall | Security Intelligence feed format, one IP or CIDR per line. | Yes | Yes | An MD5 checksum file is included for smart fetching. |
| F5 BIG-IP | IP Address Intelligence format: IP,prefix_length,list_type,category. | Yes | Yes | Custom category supported. |
| Sophos | Individual IP addresses only, one per line. | No | No | CIDRs are expanded into individual addresses up to /16. |
| ntopng | IP blacklist format, one IP per line. | No | No | CIDRs are expanded into individual addresses up to /16. |
| pfSense | One IP or CIDR per line. | Yes | Yes | Consumed by pfBlockerNG. |
| OPNsense | Alias URL table format, one IP or CIDR per line. | Yes | No | IPv4 only. |
| Universal | Plain text, one IP or CIDR per line. | Yes | Yes | Compatible with most systems that accept a plain IP list. |
| ELLIO Traefik Middleware Plugin | Native integration for Traefik, configured via the ELLIO_BOOTSTRAP environment variable. | Yes | No | The plugin fetches and applies the EDL automatically. See the Traefik middleware guide. |
Next Steps
- Connect the generated EDL URL to your firewall using the relevant integration guide.
- Manage rules and rulesets programmatically via the EDL API.