Network Security
PAN-OS & Panorama
Table of Contents
Expand All
|
Collapse All
Network Security Docs
PAN-OS & Panorama
Learn how to block or allow traffic based on IP addresses or URLs in an external
dynamic list, or use a dynamic domain list with a DNS sinkhole to prevent access to
malicious domains.
Block or allow traffic based on IP addresses or URLs in an external dynamic list, or
use a dynamic domain list with a DNS sinkhole to prevent access to malicious
domains.
Tips for enforcing policy on the firewall with external dynamic lists:
- When viewing external dynamic lists on the firewall (), clickObjectsExternal Dynamic ListsList Capacitiesto compare how many IP addresses, domains, and URLs are currently used in policy with the total number of entries that the firewall supports for each list type.
- Use Global Find to Search the Firewall or Panorama Management Server for a domain, IP address, or URL that belongs to one or more external dynamic lists is used in policy. This is useful for determining which external dynamic list (referenced in a Security policy rule) is causing the firewall to block or allow a certain domain, IP address, or URL.
- Use the directional controls at the bottom of the page to change the evaluation order of EDLs. This allows you to or order the lists to make sure the most important entries in an EDL are committed before capacity limits are reached.You can only change the EDL order whenGroup By Typeis deselected.
- Use an External Dynamic List of Type URL as Match Criteria in a Security Security Rule.
- Select.PoliciesSecurity
- ClickAddand enter a descriptiveNamefor the rule.
- In theSourcetab, select theSource Zone.
- In theDestinationtab, select theDestination Zone.
- In theService/URL Categorytab, clickAddto select the appropriate external dynamic list from the URL Category list.
- In theActionstab, set theAction SettingtoAlloworDeny.
- ClickOKandCommit.
- Verify whether entries in the external dynamic list were ignored or skipped.Use the following CLI command on a firewall to review the details for a list.request system external-list show type<domain|ip|url> name_of_listFor example:request system external-list show type url EBL_ISAC_Alert_List
- Test that the policy action is enforced.
- View External Dynamic List Entries for the URL list, and attempt to access a URL from the list.
- Verify that the action you defined is enforced.
- To monitor the activity on the firewall:
- SelectACCand add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
- Selectto access the detailed log view.MonitorLogsURL Filtering
- Use an IP External Dynamic List or Predefined IP External Dynamic List as a Source or Destination Address Object in a Security Rule.This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit.
- Select.PoliciesSecurity
- ClickAddand give the rule a descriptiveName.
- In theSource/Destinationtabs, set the external dynamic list to be used as theSource/Destination Address(es).
- In the Service/ URL Category tab, make sure theServiceis set toapplication-default.
- In the Actions tab, set the Action Setting toAlloworDeny.Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses.
- Leave all the other options at the default values.
- ClickOKto save the changes.
- Committhe changes.
- Test that the policy action is enforced.
- View External Dynamic List Entries for the external dynamic list, and attempt to access an IP address from the list.
- Verify that the action you defined is enforced.
- Selectand view the log entry for the session.MonitorLogsTraffic
- To verify the security rule that matches a flow, select, and execute a Security Policy Match test:DeviceTroubleshooting
- Use a Predefined URL External Dynamic List to exclude benign domains that applications use for background traffic from Authentication policy.When you select thepanw-auth-portal-exclude-listEDL type, you can easily exclude from Authentication policy enforcement the domains that many applications use for background traffic, such as updates and other trusted services. This ensures that the firewall does not block the necessary traffic for these services and application maintenance is not interrupted.
- Select.PoliciesAuthentication
- On theService/URL Categorytab, select the Predefined URL EDL as theURL Category.
- On theActionstab, selectdefault-no-captive-portalas theAuthentication Enforcement.
- ClickOK.
- Movethe rule to the top so that it's the first rule in the policy.
- Commityour changes.