>
    Strata Copilot
    Configure Your Environment to Access an External Dynamic List
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Policy Objects
    5. Policy Object: External Dynamic Lists
    6. Configure Your Environment to Access an External Dynamic List
    Download PDF
    Network Security

    Configure Your Environment to Access an External Dynamic List

    Table of Contents

    Configure Your Environment to Access an External Dynamic List

    With an active Threat Prevention license, Palo Alto Networks provides built-in IP address EDLs that you can use to protect against malicious hosts.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    Configuring your configuration to access an external dynamic list is a critical aspect of optimizing network security and ensuring real-time threat intelligence updates. An external dynamic list, often referred to as an external dynamic list, allows your configuration to dynamically update its security rules based on external threat indicators. This integration ensures that your configuration remains up-to-date with the latest threat intelligence, enhancing its ability to detect and mitigate emerging cyberthreats effectively.
    To begin the configuration process, it's essential to gather the necessary information about the external dynamic list, such as the list URL, list type (IPv4, IPv6, domain, etc.), and any authentication credentials required to access the list. Once you have this information, you’ll:
    • Define your external dynamic list profile
      Navigate to the Objects tab and select External Dynamic Lists. Here, you will create a new external dynamic list profile by providing a name, description, and the URL of the external list. Specify the refresh interval, which determines how frequently the your configuration fetches updates from the specified URL. Configure any necessary authentication parameters, if applicable.
    • Incorporate your external dynamic list profile into your Security policy rules
      This is done by referencing the external dynamic list within security rules, allowing your configuration to utilize the external list to match and enforce policies dynamically. Update the rules accordingly, considering the specific use case and security requirements of your network.
    • Monitor your external dynamic list configuration
      Regularly monitoring and validating the external dynamic list configuration is crucial to ensure that your configuration continues to receive timely threat intelligence updates. Additionally, ongoing adjustments and fine-tuning of security rules based on the acquired threat intelligence will help maintain an effective and robust security posture against evolving cyberthreats.
    Follow these steps to configure your environment to access an external dynamic list

    Configure Your Environment to Access an External Dynamic List (Strata Cloud Manager)

    Learn about how to configure your environment to access and EDL in Strata Cloud Manager.
    You must establish the connection between your environment and the source that hosts the external dynamic list before you can Enforce Policy on an External Dynamic List.
    1. Find an external dynamic list to use with your configuration.
      • Create an external dynamic list and host it on a web server. Enter IP addresses, domains, or URLs in a blank text file. Each list entry must be on a separate line. For example:
        financialtimes.co.in
        www.wallaby.au/joey
        www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
        See the Formatting Guidelines for an External Dynamic List to ensure that your environment doesn't skip list entries. To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries.
      • Use an external dynamic list hosted by another source and verify that it follows the Formatting Guidelines for an External Dynamic List.
    2. Select ConfigurationNGFW and Prisma AccessObjectsExternal Dynamic Lists.
    3. Select Add External Dynamic List and enter a descriptive Name for the list.
    4. Select the list Type (for example, URL List).
      Ensure that the list only includes entries for the list type. See Verify whether entries in the external dynamic list were ignored or skipped.
      If you using a Domain List, you can optionally enable Automatically expand to include subdomains to also include the subdomains of a specified domain. For example, if your domain list includes paloaltonetworks.com, all lower level components of the domain name (e.g., *.paloaltonetworks.com) will also be included as part of the list. Keep in mind, when this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries that are consumed.
    5. Enter the Source for the list you just created on the web server. The source must include the full path to access the list. For example, https://1.2.3.4/EDL_IP_2015.
      • If you are creating a Predefined IP external dynamic list, select a Palo Alto Networks malicious IP address feed to use as a source.
      • If you are creating a Predefined URL external dynamic list, select panw-auth-portal-exclude-list as a source.
    6. If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a Certificate Profile or create a New Certificate Profile for authenticating the server that hosts the list. The certificate profile you select must have root certificate authority (CA) and intermediate CA certificates that match the certificates installed on the server you are authenticating.
      Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, your environment counts each list as a unique external dynamic list.
    7. Enable client authentication if the list source has an HTTPS URL and requires basic HTTP authentication for list access.
      1. Select Client Authentication.
      2. Enter a valid Username to access the list.
      3. Enter the Password and Confirm Password.
    8. (Optional) Specify the frequency at which your environment should Check for updates to the list. By default, the list is retrieved once every hour and commits the changes.
      The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
    9. Click Save and Push Config.
    10. (Optional) EDLs are shown top to bottom, in order of evaluation. Use the directional controls at the bottom of the page to change the list order. This allows you to or order the lists to make sure the most important EDLs are committed before capacity limits are reached.
    11. Enforce Policy on an External Dynamic List.
      If the server or client authentication fails, your environment ceases to enforce policy based on the last successfully retrieved external dynamic list. Find External Dynamic Lists That Failed Authentication and view the reasons for authentication failure.

    Deploy and Configure Custom EDL Hosting Service

    This procedure guides you through setting up Hosted EDLs in Strata Cloud Manager. Configure external data sources (Git, API, or file uploads), create a Hosted Dynamic List that consolidates and processes those entries, then create an EDL object to use in security policies that are enforced dynamically across your Palo Alto Networks firewalls.
    This feature is offered as a preview at this release.
    This procedure involves the following steps:
    1. Synchronize your source (using a Git repository/account, API endpoint, or an uploaded list).
    2. Create the EDL based on your synchronized list.

    Synchronize Your Source

    Configure external data sources using one of three methods: Git, API endpoints, or an uploaded list); each of these methods are described below.

    Use a Git Account to Synchronize Your Source

    1. Login to Strata Cloud Manager.
    2. Select Configuration > NGFW & Prisma Access > Setup.
    3. Select the Hosted Dynamic Lists card on the Setup page; click the configuration icon.
    4. In the Hosted Dynamic Lists page, select the Git Repositories tab to add a Git account.
    5. Select the Git Accounts tab. This page displays currently connected Git accounts; you can use this page to view details about a connected account; you can also use this view to remove an account.
    6. Click Add Git Account. In the Add Git Account page:
      1. Use the drop-down to select the Provider (GitHub or GitLab).
      2. Enter a Name.
      3. Enter a Description.
      4. Enter your Personal Access Token.
      5. Click Save.
        A Github personal access token is required to sync your Git account.

    Use a Git Repository to Synchronize Your Source

    1. In the Hosted Dynamic Lists page, select the Git Repositories tab to manage reusable credentials for Git hosting providers. Use this tab to view existing connected repositories, or to add a new one.
    2. Click Add Git Repository. This page displays currently connected Git repositories; you can use this page to view details about the repository; you can also use this view to remove a repository. In the Add Git Repository page, use the drop-down to select the Git Account (GitHub or GitLab), or, click Create New.
      1. Enter a Name and (optionally) a Description for the Git account.
      2. Use the drop-down to select the EDL Type: IP list, Domain list, or a URL list.
      3. Optionally enter the Polling Interval (in minutes).
      4. Enter the Repository URL.
      5. Select the Branch.
      6. Specify the File Path.
      7. Click Save.
      8. Set the Source Type to Git Repository.
      9. Select your endpoint from the drop-down list.
      10. Click Save.

    Use an API Endpoint

    1. In the Hosted Dynamic Lists page, select the API Endpoints tab. This page displays associated endpoints. You can select an existing entry to edit it.
    2. Click Add API Endpoint. In the Add API Endpoint screen:
      1. Enter a Name and Description for the API endpoint.
      2. Use the drop-down to select the EDL Type.
      3. Enter the Base URL for the API endpoint. This field represents the full URL of the REST endpoint that returns your threat data.
      4. Determine the Authentication Type.
      5. Select the Key Location: Header sends the key as a request header, Query appends it as a URL query parameter. Provide the Header Name to represent the name of the header or query parameter (for example, X-Apikey, api_key). Provide the Secret for the API key value.
      6. Select Test Source Connection to verify reachability and authentication. There are three states: Loading (connecting to the endpoint), Success (the endpoint is reachable and the credentials are valid), Error (the connection failed; review the URL and credentials before proceeding).
      7. Click Save. The new endpoint appears in the API Endpoints section, containing the Name, Base URL and Authentication Type.
        SCM will begin polling the endpoint on its scheduled (minimum every 5 minutes) and automatically processes the response into your hosted feed.
        To edit or delete an endpoint:
        • Edit: Click the endpoint name in the grid to reopen the pre-populated form.
        • Delete: Select the row checkbox → click Delete → confirm in the dialog.
        An API endpoint cannot be deleted while it is attached to a Hosted Dynamic List. Remove it from all lists first, then delete.

    Use an Uploaded List

    Use the Uploaded Lists tab to upload static files containing EDL entries. Uploaded lists can be csv, json, or text. The maximum file size is 8 MB. Select the file format ( csv, json, or text) that matches how your data is structured:
    TXT — simplest, recommended
One entry per line. Lines starting with # are comments and are skipped. Inline tags are supported after # on entry lines.
# SOC blocklist - maintained by security team
10.0.0.1
192.168.5.0/24
203.0.113.0/24
10.0.0.5 # incident_id=inc123; severity=high
*.malware.example.com
https://phishing.example.com/payload # threat_type=phishing

CSV — if your data comes from a spreadsheet or tool export
By default, entries are read from the first column (index 0) and the first row is treated as a header.
ip_address,incident_id,severity
10.0.0.1,inc123,high
192.168.1.0/24,inc456,medium
203.0.113.0/24,inc789,low
If your IP or domain is in a different column, note the zero-based column index — you may be asked for this when configuring the source.

JSON — flat array
["10.0.0.1", "192.168.1.0/24", "203.0.113.0/24"]
Or nested objects (you will need to provide a JSONPath expression to extract values):
[
 {"ip": "10.0.0.1", "severity": "high"},
 {"ip": "192.168.1.0/24", "severity": "medium"}
]
    1. In the Hosted Dynamic Lists page, select the Uploaded Lists tab. Use this tab to view existing lists, or to add a new one.
      An uploaded list cannot exceed 8MB.
      Select an uploaded list to view its contents (including the name, an optional description, and the configured data type (for example, IP list).
    2. Click Add Uploaded Lists. In the Add Uploaded List page:
      1. Enter a Name and (optionally) Description for the uploaded list.
      2. Use the drop-down to select the EDL Type.
      3. Browse for the file (or drag and drop).
      SCM processes the file immediately and includes its entries in the hosted feed.
      Updating an Uploaded List
      When your data changes, upload a new file to replace or extend the existing list:
      1. Go to the Uploaded Lists tab.
      2. Click the list name to open the edit form.
      3. Drag and drop or browse to your new file.
      4. Click Save
      The hosted dynamic list feed is automatically regenerated with the updated entries.
      Editing or Deleting an Uploaded List
      • Edit: Click the list name in the grid to reopen the pre-populated form.
      • Delete: Select the row check box → click Delete → confirm in the dialog

    Create an EDL Based on Your Synchronized Source

    Make sure you have at least one source ready. A hosted dynamic list requires at least one source to pull entries from. Set up any of the following in advance or create them inline during this process:
    • Git Account — for Git repository sources
    • API Endpoint — for REST API sources
    • Uploaded List — for manually uploaded files
    Each of these options are described above.
    1. Login to Strata Cloud Manager. Select Configuration > NGFW & Prisma Access > Setup.
    2. Select the Hosted Dynamic Lists card on the Setup page; click the configuration icon. The Hosted Dynamic List page displays currently configured lists. You can edit an existing list, or, click Add Hosted Dynamic List
    3. In the Add Hosted Dynamic List page:
      1. Enter the Name. Specify an unique name for this list (e.g., Malicious-IPs, Phishing-Domains).
      2. Optionally enter a Description.
      3. Select the EDL Type from the drop-down menu.
        Choose EDL Type carefully — it cannot be changed after creation. Entries from sources that do not match the selected type are automatically dropped.
      4. Select the IP Type (IPv4 or IPv6).
      5. Click Add Source.
        You can aggregate up to 10 sources into a single list. Duplicates are removed, and entries that do not match the EDL Type are ignored.
      6. In the Add Source screen, select the previously created Source (Git Repository, API Endpoint, or Uploaded List).
      7. Use the drop-down menu to select the corresponding source; for example, after selecting Git Repository, use the drop-down menu to select the correct repository.
        Add more sources by clicking Add Source again. You can add up to 10 sources per hosted dynamic list.
    4. Click Save.
      SCM immediately begins processing — it fetches entries from all attached sources, duplicates them, merges overlapping CIDRs (for IP lists), removes any entries that don't match the EDL type.
    5. Verify the list. On the Hosted Dynamic Lists tab, your new list appears:
      If the status shows an error, hover over the red dot to view the error message.

    Configure Your Environment to Access an External Dynamic List (PAN-OS & Panorama)

    Learn how to configure your environment to access and EDL in PAN-OS and Panorama,
    You must establish the connection between the firewall and the source that hosts the external dynamic list before you can Enforce Policy on an External Dynamic List.
    1. (Optional) Customize the service route that the firewall uses to retrieve external dynamic lists.
      Select DeviceSetupServicesService Route ConfigurationCustomize and modify the External Dynamic Lists service route.
      The firewall does not use the External Dynamic Lists service route to retrieve external dynamic lists; content updates modify or update the contents of those lists (active Threat Prevention license required).
    2. Find an external dynamic list to use with the firewall.
      • Create an external dynamic list and host it on a web server. Enter IP addresses, domains, or URLs in a blank text file. Each list entry must be on a separate line. For example:
        financialtimes.co.in
        www.wallaby.au/joey
        www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
        See the Formatting Guidelines for an External Dynamic List to ensure that the firewall does not skip list entries. To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries.
      • Use an external dynamic list hosted by another source and verify that it follows the Formatting Guidelines for an External Dynamic List.
    3. Select ObjectsExternal Dynamic Lists.
    4. Click Add and enter a descriptive Name for the list.
    5. (Optional) Select Shared to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the Virtual Systems drop-down.
      As a best practice, Palo Alto Networks recommends using shared EDLs when multiple virtual systems are used. Using individual EDLs with duplicate entries for each vsys uses more memory, which might over-utilize firewall resources.
    6. (Panorama only) Select Disable override to ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama.
    7. Select the list Type (for example, URL List).
      Ensure that the list only includes entries for the list type. See Verify whether entries in the external dynamic list were ignored or skipped.
      If you using a Domain List, you can optionally enable Automatically expand to include subdomains to also include the subdomains of a specified domain. For example, if your domain list includes paloaltonetworks.com, all lower level components of the domain name (e.g., *.paloaltonetworks.com) will also be included as part of the list. Keep in mind, when this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries that are consumed.
    8. Enter the Source for the list you just created on the web server. The source must include the full path to access the list. For example, https://1.2.3.4/EDL_IP_2015.
      • If you are creating a Predefined IP external dynamic list, select a Palo Alto Networks malicious IP address feed to use as a source.
      • If you are creating a Predefined URL external dynamic list, select panw-auth-portal-exclude-list as a source.
    9. If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a Certificate Profile or create a New Certificate Profile for authenticating the server that hosts the list. The certificate profile you select must have root certificate authority (CA) and intermediate CA certificates that match the certificates installed on the server you are authenticating.
      Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
    10. Enable client authentication if the list source has an HTTPS URL and requires basic HTTP authentication for list access.
      1. Select Client Authentication.
      2. Enter a valid Username to access the list.
      3. Enter the Password and Confirm Password.
    11. (Not available on Panorama or for Predefined URL EDLs) Click Test Source URL to verify that the firewall can connect to the web server.
      The Test Source URL function is not available when authentication is used for EDL access.
    12. (Optional) Specify the frequency at which the firewall should Check for updates to the list. By default, the firewall retrieves the list once every hour and commits the changes.
      The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
    13. Click OK and Commit your changes.
    14. (Optional) EDLs are shown top to bottom, in order of evaluation. Use the directional controls at the bottom of the page to change the list order. This allows you to or order the lists to make sure the most important EDLs are committed before capacity limits are reached.
      You can only change the EDL order when Group By Type is deselected.
    15. Enforce Policy on an External Dynamic List.
      If the server or client authentication fails, the firewall ceases to enforce policy based on the last successfully retrieved external dynamic list. Find External Dynamic Lists That Failed Authentication and view the reasons for authentication failure.

    © 2026 Palo Alto Networks, Inc. All rights reserved.