Built-in External Dynamic Lists

Table of Contents

Formatting Guidelines for an External Dynamic List

Configure Your Environment to Access an External Dynamic List

Built-in External Dynamic Lists

With an active Threat Prevention license, Palo Alto Networks provides built-in IP address EDLs that you can use to protect against malicious hosts.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS & Panorama Managed) `Prisma Access (Cloud Management)` `Prisma Access (Panorama Managed)`	Check for any license or role requirements for the products you're using.

With an active Threat Prevention license, Palo Alto Networks provides built-in IP address EDLs that you can use to protect against malicious hosts.

Palo Alto Networks Bulletproof IP Addresses
—Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.

Palo Alto Networks High-Risk IP Addresses
—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations. Palo Alto Networks compiles the list of threat advisories, but does not have direct evidence of the maliciousness of the IP addresses.

Palo Alto Networks Known Malicious IP Addresses
—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry (share threat intelligence with Palo Alto Networks). Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.

Palo Alto Networks Tor Exit IP Addresses
—Contains IP addresses supplied by multiple providers and validated with Palo Alto Networks threat intelligence data as active Tor exit nodes. Traffic from Tor exit nodes can serve a legitimate purpose, however, is disproportionately associated with malicious activity, especially in enterprise environments.

Your configuration receives updates for these feeds in content updates, allowing the it to automatically enforce policy based on the latest threat intelligence from Palo Alto Networks. You cannot modify the contents of the built-in lists. Use them as-is (see Enforce Policy on an External Dynamic List), or create a custom external dynamic list that uses one of the lists as a source (see Configure Your Environment to Access an External Dynamic List) and exclude entries from the list as needed.

Cloud Managed

PAN-OS & Panorama