Search This Blog

Monday, April 15, 2019

PaloAlto - Dynamic Block List – Part 1

PaloAlto - External Dynamic Block List – Part 1

In part 1, we will be talking about the basic settings for a Dynamic Block List and how to configure them. 

Whats an External Dynamic Block list?

Its a file that can be reached from an external resources like HTTP and HTTPS. The file must contain IP addresses pulled from an external resources, URLs and domains. We can set how many times a day the external dynamic list must pull from the file hosted on the web or URL path.
this can be accomplished by adjusting your "Repeat" drop down list that holds the following settings:  Hourly, Five Minutes, Daily, Weekly, Monthly.

Types of External Dynamic List options:

  1. Predefined IPs - If you have a Threat Prevention License, the firewall will automatically update the following list for you: "Palo Alto Networks - Known malicious IP addresses" and "Palo Alto Network - High risk IP addresses"
  2. IPs - Static objects created by you will define as a IP. you can add them manually for special events.
  3. URL - A list or URLs and will be treated like a URL category that can be used in security policy rules, Decryption policy rules, and QoS policy rules.
  4. Domain - A list of Domains that can be used to block malicious domains.

Please be aware that this is limit to how many IPs a firewall can contain at any given time.

  1. Higher end models can hold : 150,000 total IP addresses. - PA-500,5200,7000 series
  2. lower end models can hold: 50,000 total IP addresses.  
  3. URLs - Can hold 50,000 URLs
  4. Domains - Can hold 50,000 domains.
Let’s get our hands dirty:
In this example we will go fetch a list from online.

Step 1:

Objects > External Dynamic Lists > ADD

Create a Dynamic list.  Depending on the list provided by the HTTP or HTTPS link the “Type” will need to be changed:

Click on “Test Source URL” to see if the PaloAlto can reach the website list.
This is what you should see once the dynamic list pulls the list down from the website.

Let’s go check our list.
Ah! Its empty, well that’s because you must add it to a security rule first. After it has been applied to a security rule the list well be fetched and updated.

Step 2:

Let’s go to our Security Rules:

Click on Security > Add
Create a New Rule That will BLOCK traffic for the External Dynamic List and select the List for the Destination Address.

Put the rule on top of your already existing allow rule for web traffic.

After you have committed your configuration go back to the list

Now you can see them 😊

Let’s go Test:
I typed in the first IP in the BlockList1 and crossed my fingers..... it blocked it.. lol😊

For more compatible Links go to:

SpamHaus Drop:
DROP (Don't Route Or Peer) and EDROP are advisory "drop all traffic" lists, consisting of stolen 'hijacked' netblocks and netblocks controlled entirely by criminals and professional spammers. Spamhaus (c) data used with permission

Thank you


1 comment:

Popular Posts