Network Security
Formatting Guidelines for an External Dynamic List
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Formatting Guidelines for an External Dynamic List
| Where Can I Use This? | What Do I Need? |
|---|---|
|
An external dynamic list of one type — IP address, Domain,
or URL must include entries of that type only. The entries in a
predefined IP address list comply with the formatting guidelines
for IP address lists.
IP Address List
The external dynamic list can include individual IP addresses, subnet addresses
(address/mask), or range of IP addresses. In addition, the block list can include
comments and special characters such as * ,
: , ; , #,
or /. The syntax for each line in the list is [IP
address, IP/Mask, or IP start range-IP end range] [space]
[comment].
Enter each IP address/range/subnet in a new line; URLs or domains are not supported
in this list. A subnet or an IP address range, such as 92.168.20.0/24 or
192.168.20.40-192.168.20.50, count as one IP address entry and not as multiple IP
addresses. If you add comments, the comment must be on the same line as the IP
address/range/subnet. The space at the end of the IP address is the delimiter that
separates a comment from the IP address.
An example IP address list:
192.168.20.10/32
2001:db8:123:1::1 #test IPv6 address
192.168.20.0/24 ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
192.168.20.40-192.168.20.50For an IP address that is blocked, you can display a notification page only if
the protocol is HTTP.
Domain List
You can use placeholder characters in domain lists to configure a single entry to
match against multiple website subdomains, pages, including entire top-level
domains, as well as matches to specific web pages.
Follow these guidelines when creating domain list entries:
- Enter each domain name in a new line; URLs or IP addresses are not supported in this list.
- Do not prefix the domain name with the protocol, http:// or https://.
- You can use an asterisk (*) to indicate a wildcard value.
- You can use a caret (^) to indicate an exact match value.
- The following characters are considered token separators: . / ? & = ; +Every string separated by one or two of these characters is a token. Use wildcard characters as token placeholders, indicating that a specific token can contain any value.
- Wildcard characters must be the only character within a token; however, an entry can contain multiple wildcards.
- Each domain entry can be up to 255 characters in length.
When to use the asterisk (*) wildcard:
Use an asterisk (*) wildcard to indicate one or multiple variable subdomains. For
example, to specify enforcement for Palo Alto Network’s website regardless of the
domain extension used, which might be one or two subdomains depending on location,
you would add the entry: *.paloaltonetworks.com. This entry
would match to both docs.paloaltonetworks.com and support.paloaltonetworks.com.
You can also use this wildcard to indicate entire top-level domains. For example, to
specify enforcement of a TLD named .work, you would add the entry
*.work. This matches all websites ending with .work.
The (*) wildcard can only be prepended in domain entries.
Asterisk (*) examples
| EDL Domain List Entry | Matching Sites |
|---|---|
|
*.company.com
|
eng.tools.company.com
support.tools.company.com
tools.company.com
docs.company.com
|
|
*.click
|
all websites ending with a top-level domain of .click.
|
When to use a caret (^) character:
Use carets (^) to indicate an exact match of a subdomain. For example,
^paloaltonetworks.com matches only paloaltonetworks.com.
This entry does not match to any other site.
Caret (^) examples
| EDL Domain List Entry | Matching Site |
|---|---|
|
^company.com
|
company.com
|
|
^eng.company.com
|
eng.company.com
|