Add an external dynamic list to a URL Filtering profile
or policy to specify sites you want to exclude from URL category
policy enforcement.
Where can I use
this? | What do I need? |
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
- NGFW (Managed by Strata Cloud Manager)
- NGFW (Managed by PAN-OS or Panorama)
|
|
An external dynamic list is a text file that
is hosted on an external web server. You can use this list to import
URLs and enforce policy on these URLs. The firewall dynamically
imports the list at the configured interval and enforces policy
for the URLs (IP addresses or domains are ignored) in the list.
When the list is updated on the web server, the firewall retrieves
the changes and applies policy to the modified list without requiring
a commit on the firewall.
Use an External Dynamic List in a URL Filtering Profile (Strata Cloud Manager)
If you’re using Panorama to manage Prisma Access:
Toggle over to the PAN-OS & Panorama tab and follow the guidance
there.
If you’re using Strata Cloud Manager, continue here.
- Enable Prisma Access to reference an external dynamic list.
An external dynamic list allows you to define an imported list of IP
addresses, URLs, or domain names that you can use in policy rules to block
or allow traffic.
To set up an external dynamic list, go to :
- Ensure that the list does not include IP addresses or domain names; the
firewall skips non-URL entries.
- Use the custom URL list
guidelines to verify the list’s formatting.
- Specify the List Type as URL
List.
- Use the external dynamic list with URL Filtering.
Go to.
You can also use
external dynamic lists to create custom URL categories (return to
the URL Access Management dashboard to do this).
If a URL
that is included in an external dynamic list is also included in
a
custom URL category,
or block and allow list, the action specified in the custom category
takes precedence over the external dynamic list.
- Test that the policy action is enforced.
- View the external dynamic list entries ()
and try to access a URL from the list.
- Verify that the action you defined is enforced in
the browser.
Use an External Dynamic List in a URL Filtering Profile (PAN-OS & Panorama)
- Configure the firewall to access
an external dynamic list.
- Ensure that the list does not include IP addresses
or domain names; the firewall skips non-URL entries.
- Use the custom URL list
guidelines to verify the list’s formatting.
- Select URL List from the Type drop-down.
- Use the external dynamic list in a URL Filtering profile.
- Select .
- Add or modify an existing URL
Filtering profile.
- Name the profile and, in the Categories tab,
select the external dynamic list from the Category list.
- Click Action to select a more granular action for
the URLs in the external dynamic list.
If a URL that is included in an external dynamic
list is also included in a
custom URL category,
or block and allow list, the action specified in the custom category
takes precedence over the external dynamic list.
- Click OK.
- Attach the URL Filtering profile to a Security policy
rule.
Select .
Select the Actions tab and, in the
Profile Setting section, select the new profile in the URL Filtering drop-down.
Click OK and Commit your changes.
- Test that the policy action is enforced.
- View the external dynamic list
entries and try to access a URL from the list.
- Verify that the action you defined is enforced in
the browser.
- To monitor the activity on the firewall:
Select ACC and
add a URL Domain as a global filter to view the Network Activity
and Blocked Activity for the URL you accessed.
Select to access the
detailed log view.
- Verify whether entries in the external dynamic list were
ignored or skipped.
In a list of type URL, the firewall skips non-URL entries
as invalid and ignores entries that exceed the maximum limit for
the firewall model.
To check whether you
have reached the limit for an external dynamic list type, select and
click List Capacities.
Use the
following CLI command on a firewall to review the details for a
list.
request system external-list show type url name <list_name>
For
example:
request system external-list show type url name My_URL_List
vsys5/My_URL_List:
Next update at: Tue Jan 3 14:00:00 2017
Source: http://example.com/My_URL_List.txt
Referenced: Yes
Valid: Yes
Auth-Valid: Yes
Total valid entries: 3
Total invalid entries: 0
Valid urls:
www.URL1.com
www.URL2.com
www.URL3.com