Learn how to configure intelligent feed on your Cloud NGFW resource.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Cloud NGFW subscription
- Palo Alto Networks Customer Support Account (CSP)
- AWS Marketplace account
- User role (either tenant or administrator)
|
A security rule object is a single object or collective unit that groups
discrete identities such as IP addresses, fully-qualified domain names (FQDN),
intelligent feeds, or certificates. Typically, when creating a policy object, you
group objects that require similar permissions in policy. For example, if your
organization uses a set of server IP addresses for authenticating users, you can
group the set of server IP addresses as a prefix list object and reference that
prefix list in one or more security rule. Group object allows you to significantly
reduce the administrative overhead in creating rules.
An intelligent feed, also called an external dynamic list, is a list that you or
third-parties can host on an external web server. You can specify the Intelligence
Feed as the source or destination of your security rule. The NGFW checks the hosted
list at hourly or daily intervals, and enforces your security rules based on the
latest entries on your list, without requiring you to make any configuration changes.
Intelligent Feed—an intelligent feed, also called an external
dynamic list (EDL), is an ongoing stream of data related to potential or
current threats to an organization’s security. An intelligent feed
records and tracks IP addresses and URLs that are associated with
threats such as phishing scams, malware, bots, spyware, ransomware, and
more.
Cloud NGFW includes four built-in intelligent feeds.
Palo Alto Networks Bulletproof IP Addresses—Contains IP
addresses provided by bulletproof hosting providers. Because
bulletproof hosting providers place few, if any, restrictions on
content, attackers frequently use these services to host and
distribute malicious, illegal, and unethical material.
Palo Alto Networks High-Risk IP Addresses—Contains
malicious IP addresses from threat advisories issued by trusted
third-party organizations. Palo Alto Networks compiles the list
of threat advisories, but does not have direct evidence of the
maliciousness of the IP addresses.
Palo Alto Networks Known Malicious IP Addresses—Contains
IP addresses that are verified malicious based on WildFire
analysis, Unit 42 research, and data gathered from telemetry.
Attackers use these IP addresses almost exclusively to
distribute malware, initiate command-and-control activity, and
launch attacks.
Palo Alto Networks Tor Exit IP Addresses—Contains IP
addresses supplied by multiple providers and validated with Palo
Alto Networks threat intelligence data as active Tor exit nodes.
Traffic from Tor exit nodes can serve a legitimate purpose,
however, is disproportionately associated with malicious
activity, especially in enterprise environments.
You can connect your NGFW with Palo Alto Networks built-in intelligence
feeds and third-party intelligent feeds to provide up-to-date
information about threats to your network. If the connection requires
specifying decryption certificates, you can configure Cloud NGFW to use
a Cloud NGFW Certificate object described below.
For IP and URL lists:
IP List—Enforce policy for a list of source or destination IP
addresses that emerge ad hoc by using an intelligent feed of type IP address
as the source or destination address object in policy rules and configure
the NGFW to deny or allow access to the IP addresses included in the list.
The NGFW treats an IP List intelligent feed as an address object, and all IP
addresses included are handled as one address object.
The intelligent feed can include individual IP addresses, subnet addresses
(address/mask), or range of IP addresses. In addition, the block list can
include comments and special characters such as * , : , ; , #, or /. The
syntax for each line in the list is [IP address, IP/Mask, or IP
start range-IP end range] [space] [comment].
Enter each IP address/range/subnet in a new line; URLs or domains are not
supported in this list. A subnet or an IP address range, such as
92.168.20.0/24 or 192.168.20.40-192.168.20.50, count as one IP address entry
and not as multiple IP addresses. If you add comments, the comment must be
on the same line as the IP address/range/subnet. The space at the end of the
IP address is the delimiter that separates a comment from the IP address
An example IP address list:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50
URL List—Protect your network from new sources of threat or malware
using URLs. The NGFW handles an intelligent feed with URLs like a custom URL
category. For more information on the formatting of URL list, see
Cloud NGFW on AWS Advanced URL Filtering.
