Check for any license or role requirements for the products you're
Prisma Access license or AIOps for NGFW license
An external dynamic list is an address object based on an imported
list of IP addresses, URLs, domain names, International Mobile Equipment
Identities (IMEIs), or International Mobile Subscriber Identities
(IMSIs) that you can use in policy rules to block or allow traffic.
This list must be a text file saved to a web server that is accessible.
By default, the management (MGT) interface is used to retrieve this
With an active Threat Prevention license, Palo Alto Networks
provides multiple built-in dynamic IP lists that you can use to
block malicious hosts. We update the lists daily based on our latest
You can use an IP address list as an address object in the source
and destination of your policy rules; you can use a URL List in
a URL Filtering profile or as a match criteria in Security policy
rules; and you can use a domain list (Anti-Spyware Profile) as a
sinkhole for specified domain names.
You can use up to 30 external dynamic lists with unique sources
across all Security policy rules. The maximum number of entries
that are supported for each list type varies based on the model
(refer to the different limits for each external dynamic list type).
List entries count toward the maximum limit only if the external
dynamic list is used in a policy rule. If you exceed the maximum
number of entries that are supported, a System log is generated
and skips the entries that exceed the limit.
The external dynamic lists are shown in the order they are evaluated
from top to bottom. Use the directional controls at the bottom of
the page to change the list order. This enables you to reorder the
lists to make sure that the most important entries in an external
dynamic list are committed before you reach capacity limits.
You cannot change the external dynamic list order when
lists are grouped by type.
You cannot delete, clone, or edit the settings of the Palo
Alto Networks malicious IP address feeds.