An external dynamic list is an address object based on an imported list of IP addresses, URLs, domain names, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible. By default, the management (MGT) interface is used to retrieve this list.

With an active Threat Prevention license, Palo Alto Networks provides multiple built-in dynamic IP lists that you can use to block malicious hosts. We update the lists daily based on our latest threat research.

You can use an IP address list as an address object in the source and destination of your policy rules; you can use a URL List in a URL Filtering profile or as a match criteria in Security policy rules; and you can use a domain list (Anti-Spyware Profile) as a sinkhole for specified domain names.

You can use up to 30 external dynamic lists with unique sources across all Security policy rules. The maximum number of entries that are supported for each list type varies based on the model (refer to the different limits for each external dynamic list type). List entries count toward the maximum limit only if the external dynamic list is used in a policy rule. If you exceed the maximum number of entries that are supported, a System log is generated and skips the entries that exceed the limit.

The external dynamic lists are shown in the order they are evaluated from top to bottom. Use the directional controls at the bottom of the page to change the list order. This enables you to reorder the lists to make sure that the most important entries in an external dynamic list are committed before you reach capacity limits.