Enforce Policy on an External Dynamic List (Strata Cloud Manager)

Table of Contents

Enforce Policy on an External Dynamic List (Strata Cloud Manager)

Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use a dynamic domain list with a DNS sinkhole to prevent access to malicious domains.

Tips for enforcing policy with external dynamic lists:

Search for a domain, IP address, or URL that belongs to one or more external dynamic lists is used in policy. This is useful for determining which external dynamic list (referenced in a Security rule) is causing a certain domain, IP address, or URL to be blocked or allowed.

Configure DNS sinkholing for a custom list of domains.
Use an External Dynamic List in a URL Filtering Profile.
Use an External Dynamic List of Type URL as Match Criteria in a Security Security Rule.
1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
2. Select Add Rule and enter a descriptive Name for the rule.
3. In SOURCE, select a Zone.
4. In DESTINATION, select a Zone.
5. In URL CATEGORY / TENANT RESTRICTION, select the appropriate external dynamic list from the URL Category list.
6. In Actions, set the Action setting to Allow or Deny.
7. Select Save.
8. Verify whether entries in the external dynamic list were ignored or skipped.
9. Test that the policy action is enforced.
  View External Dynamic List Entries for the URL list, and attempt to access a URL from the list.
  Verify that the action you defined is enforced.
  Monitor activity. Select Incidents & AlertsLog ViewerFirewall/URL to access the detailed log view.
Use an IP External Dynamic List or Predefined IP External Dynamic List as a Source or Destination Address Object in a Security Rule.

This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a commit.
1. Select ConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy.
2. Select Add Rule and give the rule a descriptive Name.
3. In SOURCE and DESTINATION, set the external dynamic list to be used as the SOURCE and DESTINATION addresses.
4. In APPLICATION / SERVICE, make sure the Service is set to Application Default.
5. In Actions set the Action setting to Allow or Deny.
  
  Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses.
6. Leave all the other options at the default values.
7. Select Save to save the changes.
8. Test that the policy action is enforced.
  View External Dynamic List Entries for the external dynamic list, and attempt to access an IP address from the list.
  Verify that the action you defined is enforced.
  Select Incidents & AlertsLog ViewerFirewall/Traffic and view the log entry for the session.
Use a Predefined URL External Dynamic List to exclude benign domains that applications use for background traffic from Authentication policy.
When you select the panw-auth-portal-exclude-list EDL type, you can easily exclude from Authentication policy enforcement the domains that many applications use for background traffic, such as updates and other trusted services. This ensures that the necessary traffic for these services is not blocked and application maintenance is not interrupted.
1. Select ConfigurationNGFW and Prisma AccessIdentity ServicesAuthenticationAuthentication RulesAdd Rule.
2. In Services and URLs, select the Predefined URL EDL as the URL Category.
3. In Action, select Do Not Authenticate.
4. Select Save.
5. Move the rule to the top so that it's the first rule in the policy.

Network Security Docs

Enforce Policy on an External Dynamic List (Strata Cloud Manager)

Network Security Docs

Enforce Policy on an External Dynamic List (Strata Cloud Manager)

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner