When processing log files uploaded your IP devices, ThreatSTOP’s software determines the internal and external IP addresses in each log entry based on:

  • Metadata available in the log files.
  • Interface settings.
  • The presence of private IP addresses.
  • The presence of IP addresses on the same subnet as the filtering device.

This feature doesn’t apply to DNS Firewalls.

In the rare case when the firewall logs don’t contain enough information to determine which IP addresses are internal, you can use this the Customer Networks feature to configure the list of your external IP subnets. This is usually only required if the firewall logs:

  • Contain public IP addresses as both source and destination addresses.
  • and don’t provide meta data to identify which IP is internal or external.

The list will be used as a hint by the ThreatSTOP log parsers to determine which IP address is yours. The list is used when parsing networks from all your devices.

Note that configuring your networks is typically not required, and in the majority of cases, the metadata or IP addresses in the logs are enough to perform the auto-detection. If the ThreatSTOP reporting software isn’t able to make this determination, the location of IP addresses (internal/external) will be incorrect in the ThreatSTOP reports.

User interface

The Customer Networks page can be use to add subnet entries with an optional comment. They must be correctly aligned CIDR blocks. If you have a large number of networks, you can paste it or upload a CSV. Both options require the subnet, and will accept an optional comment after a comma.