Use an External Dynamic List in a URL Filtering Profile
Focus
Focus
Advanced URL Filtering

Use an External Dynamic List in a URL Filtering Profile

Table of Contents

Use an External Dynamic List in a URL Filtering Profile

Add an external dynamic list to a URL Filtering profile or policy to specify sites you want to exclude from URL category policy enforcement.
Where can I use this?
What do I need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
Notes:
  • Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  • Prisma Access
    usually include
    Advanced URL Filtering
    capabilities.
An external dynamic list is a text file that is hosted on an external web server. You can use this list to import URLs and enforce policy on these URLs. The firewall dynamically imports the list at the configured interval and enforces policy for the URLs (IP addresses or domains are ignored) in the list. When the list is updated on the web server, the firewall retrieves the changes and applies policy to the modified list without requiring a commit on the firewall.
To protect your network from newly-discovered threats and malware, you can use external dynamic lists in URL Filtering profiles. For URL formatting guidelines, see Guidelines for URL Category Exceptions.

Cloud Managed

If you’re using Panorama to manage
Prisma Access
:
Toggle over to the
PAN-OS & Panorama
tab and follow the guidance there.
If you’re using
Strata Cloud Manager
, continue here.
  1. Enable
    Prisma Access
    to reference an external dynamic list.
    An external dynamic list allows you to define an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic.
    To set up an external dynamic list, go to
    Manage
    Configuration
    Objects
    External Dynamic Lists
    :
    • Ensure that the list does not include IP addresses or domain names; the firewall skips non-URL entries.
    • Use the custom URL list guidelines to verify the list’s formatting.
    • Specify the
      List Type
      as
      URL List
      .
  2. Use the external dynamic list with URL Filtering.
    Go to
    Manage
    Configuration
    Security Services
    URL Access Management
    .
    • Specify
      Site Access
      for the URLs in the external dynamic list.
    • Exclude URLs in the external dynamic list from advanced inline categorization.
    You can also use external dynamic lists to create custom URL categories (return to the URL Access Management dashboard to do this).
    If a URL that is included in an external dynamic list is also included in a custom URL category, or block and allow list, the action specified in the custom category takes precedence over the external dynamic list.
  3. Test that the policy action is enforced.
    1. View the external dynamic list entries (
      Manage
      Configuration
      Objects
      External Dynamic Lists
      ) and try to access a URL from the list.
    2. Verify that the action you defined is enforced in the browser.

PAN-OS & Panorama

    • Ensure that the list does not include IP addresses or domain names; the firewall skips non-URL entries.
    • Use the custom URL list guidelines to verify the list’s formatting.
    • Select
      URL List
      from the Type drop-down.
  1. Use the external dynamic list in a URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      .
    2. Add
      or modify an existing URL Filtering profile.
    3. Name
      the profile and, in the
      Categories
      tab, select the external dynamic list from the Category list.
    4. Click Action to select a more granular action for the URLs in the external dynamic list.
      If a URL that is included in an external dynamic list is also included in a custom URL category, or block and allow list, the action specified in the custom category takes precedence over the external dynamic list.
    5. Click
      OK
      .
    6. Attach the URL Filtering profile to a Security policy rule.
      1. Select
        Policies
        Security
        .
      2. Select the
        Actions
        tab and, in the Profile Setting section, select the new profile in the
        URL Filtering
        drop-down.
      3. Click
        OK
        and
        Commit
        your changes.
  2. Test that the policy action is enforced.
    1. View the external dynamic list entries and try to access a URL from the list.
    2. Verify that the action you defined is enforced in the browser.
    3. To monitor the activity on the firewall:
      1. Select
        ACC
        and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
      2. Select
        Monitor
        Logs
        URL Filtering
        to access the detailed log view.
  3. Verify whether entries in the external dynamic list were ignored or skipped.
    In a list of type URL, the firewall skips non-URL entries as invalid and ignores entries that exceed the maximum limit for the firewall model.
    To check whether you have reached the limit for an external dynamic list type, select
    Objects
    External Dynamic Lists
    and click
    List Capacities
    .
    Use the following CLI command on a firewall to review the details for a list.
    request system external-list show type url name
    <list_name>
    For example:
    request system external-list show type url name My_URL_List
    vsys5/My_URL_List: Next update at: Tue Jan 3 14:00:00 2017 Source: http://example.com/My_URL_List.txt Referenced: Yes Valid: Yes Auth-Valid: Yes Total valid entries: 3 Total invalid entries: 0 Valid urls: www.URL1.com www.URL2.com www.URL3.com

Recommended For You