End-of-Life (EoL)

Step 1: Create Rules Based on Trusted Threat Intelligence Sources

Before you allow and block traffic by application, it is advisable to block traffic from IP addresses that Palo Alto Networks and trusted third-party sources have proven to be malicious. The rules below ensure that your network is always protected against the IP addresses from the Palo Alto Networks malicious IP address feeds and other feeds, which are compiled and dynamically updated based on the latest threat intelligence.
  1. Block traffic to and from IP addresses that Palo Alto Networks has identified as malicious.
    Why do I need these rules?
    Rule Highlights
    • This rule protects you against IP addresses that Palo Alto Networks has proven to be used almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
    • One rule blocks outbound traffic to known malicious IP addresses, while another rule blocks inbound traffic to those addresses.
    • Set the external dynamic list
      Palo Alto Networks - Known malicious IP addresses
      as the Destination address for the outbound traffic rule, and as the Source address for the inbound traffic rule.
    • Deny traffic that match these rules.
    • Enable logging for traffic matching these rules so that you can investigate potential threats on your network.
    • Because these rules are intended to catch malicious traffic, it matches to traffic from any user running on any port.
  2. Block and log traffic to and from high-risk IP addresses from trusted threat advisories.
    Why do I need these rules?
    Rule Highlights
    Although Palo Alto Networks has no direct evidence of the maliciousness of the IP addresses in the high-risk IP address feed, threat advisories have linked them to malicious behavior.
    • Block and log the traffic as shown in this example.
    • If you must allow a high-risk IP address for business reasons, create a Security policy rule that allows only that IP address and place it in front of the high-risk IP address block rule in the rulebase. Closely monitor and log any high-risk IP addresses that you choose to allow.
    • One rule logs blocked outbound traffic to high-risk IP addresses and another rule logs blocked inbound traffic to those addresses.
    • Set the external dynamic list
      Palo Alto Networks - High risk IP addresses
      as the Destination address for the outbound traffic rule and as the Source address for the inbound traffic rule.
    • If you allow the traffic, apply best practice Security profiles.
    • Because this rule is intended to block malicious traffic, it matches traffic to and from any user, running on any port, and for any application.
  3. (
    MineMeld users only
    ) Block traffic from inbound IP addresses that trusted third-party feeds have identified as malicious.
    Why do I need this rule?
    Rule Highlights
    • Block traffic from malicious IP addresses based on block lists compiled by Spamhaus and the Internet Storm Center, a branch of the SANS Institute. The lists contain IP addresses that attackers use to spread malware, Trojans, and botnets, and to carry out large-scale infrastructure attacks.
    • To enforce this rule:
      1. Use MineMeld to forward the IP addresses from the following sources (known as miners in MineMeld), spamhaus.DROP, spamhaus.EDROP, and dshield.block, to an external dynamic list
      2. Configure the firewall to access an ExternalDynamicList, using the URL that MineMeld provides for the list.
      3. Set the external dynamic list as the Source address for the rule.
    • Use the
      Drop
      Action to silently drop the traffic without sending a signal to the client or the server.
    • Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
    • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.

Recommended For You