Network Security
PAN-OS & Panorama
Table of Contents
Expand All
|
Collapse All
Network Security Docs
PAN-OS & Panorama
View the contents of an external dynamic list directly on the firewall to check if it
contains certain IP addresses, domains, or URLs.
- Select.ObjectsExternal Dynamic Lists
- Click the external dynamic list you want to view.
- ClickList Entries and Exceptionsand view the objects that the firewall retrieved from the list.The list might be empty if:
- The EDL has not yet been applied to a Security rule. To apply an EDL to a Security rule and populate the EDL, see Enforce Policy on an External Dynamic List.
- The firewall has not yet retrieved the external dynamic list. To force the firewall to retrieve an external dynamic list immediately, Retrieve an External Dynamic List from the Web Server.
- The firewall is unable to access the server that hosts the external dynamic list. ClickTest Source URLto verify that the firewall can connect to the server.
- Enter an IP address, domain, or URL (depending on the type of list) in the filter field and Apply Filter (
Exclude Entries from an External Dynamic List
As you view the entries of an external dynamic list, you can exclude up to 100
entries from the list. The ability to exclude entries from an external dynamic
list gives you the option to enforce policy on some (but not all) of the entries
in a list. This is helpful if you cannot edit the contents of an external
dynamic list (such as the Palo Alto Networks High-Risk IP Addresses feed)
because it comes from a third-party source.
Follow these steps to exclude entries from an external dynamic list to enforce
policy on some (but not all) of the entries in a list.
- Select up to 100 entries to manually exclude from the list or manually add a list exception.
- You cannot save your changes to the external dynamic list if you have duplicate entries in the Manual Exceptions list. To identify duplicate entries, look for entries with a red underline.
- A manual exception must match a list entry exactly. Additionally, you cannot exclude a specific IP address from within an IP address range. To exclude a specific IP address from an IP address range, you must add each IP address in the range as a list entry and then exclude the desired IP address.Exclusion of an individual IP address from an IP address range is not supported.
- Save your changes.
- (Optional) Enforce Policy on an External Dynamic List.