Nexapp - InstaShield IP

InstaShield IP

NexappOS includes multiple security engines and integrations to defend against internet-borne threats. InstaShield IP is the IP-reputation protection layer: it blocks traffic coming from known compromised IP addresses, going to them, or targeting suspicious hostnames that are associated with malicious activity.

The service can use community-maintained threat feeds or, where available, enterprise-grade feeds that are updated very frequently and curated by professional threat-intelligence providers. Enterprise feeds are designed for high accuracy and confidence, helping reduce false positives while keeping protection current.

Note: Enterprise feeds require an active subscription and a valid entitlement for InstaShield IP.

Configuration

InstaShield IP is disabled by default. To enable it:

  1. Go to Security → InstaShield IP.
  2. Open the Settings tab.
  3. Turn Status to On.

When enabled, the Blocklist feeds tab shows all available lists.
You can enable or disable each list using the switch on the right. Active feeds update automatically at regular intervals.

NexappOS supports both Community and Enterprise feeds.

Community blocklists

Community feeds are contributed and maintained by third-party communities. They typically cover areas such as:

  • malware and botnet sources
  • spam and abuse networks
  • ads and trackers
  • generic suspicious infrastructure

These lists are provided “as-is”. Licensing terms vary by provider, so if usage is non-personal or commercial, verify the provider’s license.

Community list maintenance

Each community list is maintained by its own provider. Feed URLs are bundled in NexappOS at release time. If a provider changes a URL later, that list may become temporarily unavailable until updated.

Enterprise blocklists

Subscription required

Enterprise feeds focus strictly on security and provide clear advantages:

  • Higher quality and accuracy
    Professionally curated and continuously validated.

  • Faster threat response
    Feeds are frequently refreshed to include emerging threats.

  • Lower risk of false positives
    Entries are verified before publishing, reducing disruption to legitimate services.

  • Enterprise support readiness
    Designed for large or mission-critical environments.

Enterprise feeds appear in the UI only when the device has an active subscription and entitlement.

Logging

InstaShield IP includes granular logging to help monitor and audit blocked traffic.
In Logging, you can choose which blocked packets to record:

  • Log packets blocked in pre-routing chain
    Logs packets dropped before routing decisions.

  • Log packets blocked in input chain
    Logs packets aimed at NexappOS itself.
    (May generate many logs under heavy attack.)

  • Log packets blocked in forward chain
    Logs routed packets blocked while passing through NexappOS.

  • Log packets blocked forwarded from LAN
    Logs blocked traffic originating from internal networks.

These options also expose metrics in real-time and historical monitoring.

Local allowlist

Sometimes a reputation feed may block something you trust.
Use Local allowlist to always permit specific addresses:

  1. Open Local allowlist tab.
  2. Click Add address.
  3. Enter an address and optional comment.

Accepted formats:

  • IPv4 address: 192.168.0.1
  • IPv6 address: 2001:db8:85a3::8a2e:370:7334
  • CIDR network: 192.168.0.0/24
  • MAC address: 00:0a:95:9d:68:16
  • Fully qualified hostname: example.com

Add a comment to document why the entry is trusted.

Local blocklist

Local blocklist is a manual “always deny” list. It lets you block addresses regardless of feed status.

To add entries:

  1. Open Local blocklist tab.
  2. Click Add address.
  3. Enter the address and a short description.

Syntax is the same as the allowlist.
Use clear comments to support future audits.

Block brute-force attacks

When InstaShield IP is enabled, NexappOS can automatically detect and stop brute-force login attempts against gateway services. By default, it watches:

  • SSH access
  • Web UI login

To configure:

  1. Go to Settings → Block brute force attacks.
  2. Toggle the feature On/Off as required.

You can tune:

  • Ban after N failed accesses
    Number of failed logins before banning an IP.
    Lower values increase security but may increase false positives.

  • Patterns to detect attacks
    Log patterns that identify brute-force events, for example:

    • Exit before auth from (SSH)
    • authentication failed for user (Web UI)
    • TLS Auth Error, TLS handshake failed, AUTH_FAILED (VPN)

    Add patterns using Add pattern. Each pattern supports grep-style regex.

  • Ban time
    Duration an IP stays banned (default commonly 30 minutes).
    Adjust to match your security policy.

CLI quick operations

  • Show all blocked IPv4 addresses:
    /etc/init.d/banip survey blocklistv4

  • Search for one IP:
    /etc/init.d/banip search IP_ADDRESS

  • Remove a ban:
    nft delete element inet banIP blocklistv4 { IP_ADDRESS }

Use blocklistv6 for IPv6 addresses.

Block DoS attacks

InstaShield IP also provides WAN-side DoS protection. It detects excessive traffic patterns and temporarily blocks them until conditions normalize.

Available protections:

  • Block ICMP DoS
    Limits ICMP floods to 100 packets/sec.

  • Block TCP SYN DoS
    Limits new TCP connection bursts to 10 connections/sec.

  • Block UDP DoS
    Limits UDP floods to 100 packets/sec.

These protections are focused on inbound WAN traffic and help keep services reachable during volumetric attacks.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on