Use an External Dynamic List in a URL Filtering Profile (PAN-OS & Panorama)
Focus
Focus
Advanced URL Filtering

Use an External Dynamic List in a URL Filtering Profile (PAN-OS & Panorama)

Table of Contents


Use an External Dynamic List in a URL Filtering Profile (PAN-OS & Panorama)

  1. Configure the firewall to access an external dynamic list.
    • Ensure that the list does not include IP addresses or domain names; the firewall skips non-URL entries.
    • Use the custom URL list guidelines to verify the list’s formatting.
    • Select URL List from the Type drop-down.
  2. Use the external dynamic list in a URL Filtering profile.
    1. Select ObjectsSecurity ProfilesURL Filtering.
    2. Add or modify an existing URL Filtering profile.
    3. Name the profile and, in the Categories tab, select the external dynamic list from the Category list.
    4. Click Action to select a more granular action for the URLs in the external dynamic list.
      If a URL that is included in an external dynamic list is also included in a custom URL category, or block and allow list, the action specified in the custom category takes precedence over the external dynamic list.
    5. Click OK.
    6. Attach the URL Filtering profile to a Security policy rule.
      1. Select PoliciesSecurity.
      2. Select the Actions tab and, in the Profile Setting section, select the new profile in the URL Filtering drop-down.
      3. Click OK and Commit your changes.
  3. Test that the policy action is enforced.
    1. View the external dynamic list entries and try to access a URL from the list.
    2. Verify that the action you defined is enforced in the browser.
    3. To monitor the activity on the firewall:
      1. Select ACC and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
      2. Select MonitorLogsURL Filtering to access the detailed log view.
  4. Verify whether entries in the external dynamic list were ignored or skipped.
    In a list of type URL, the firewall skips non-URL entries as invalid and ignores entries that exceed the maximum limit for the firewall model.
    To check whether you have reached the limit for an external dynamic list type, select ObjectsExternal Dynamic Lists and click List Capacities.
    Use the following CLI command on a firewall to review the details for a list.
    request system external-list show type url name <list_name> 
    For example:
    request system external-list show type url name My_URL_List
    vsys5/My_URL_List: 
    Next update at: Tue Jan 3 14:00:00 2017 
    Source: http://example.com/My_URL_List.txt 
    Referenced: Yes 
    Valid: Yes 
    Auth-Valid: Yes 
    
    Total valid entries: 3 
    Total invalid entries: 0 
    Valid urls: 
    www.URL1.com 
    www.URL2.com 
    www.URL3.com