Built-in External Dynamic Lists
Table of Contents
Built-in External Dynamic Lists
With an active Threat Prevention license, Palo Alto
Networks provides built-in IP address EDLs that you can use to protect
against malicious hosts.
- Palo Alto Networks Bulletproof IP Addresses—Contains IP addresses provided by bulletproof hosting providers. Because bulletproof hosting providers place few, if any, restrictions on content, attackers frequently use these services to host and distribute malicious, illegal, and unethical material.
- Palo Alto Networks High-Risk IP Addresses—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations. Palo Alto Networks compiles the list of threat advisories, but does not have direct evidence of the maliciousness of the IP addresses.
- Palo Alto Networks Known Malicious IP Addresses—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry (share threat intelligence with Palo Alto Networks). Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
- Palo Alto Networks Tor Exit IP Addresses—Contains IP addresses supplied by multiple providers and validated with Palo Alto Networks threat intelligence data as active Tor exit nodes. Traffic from Tor exit nodes can serve a legitimate purpose, however, is disproportionately associated with malicious activity, especially in enterprise environments.
The firewall receives updates for these feeds in content updates,
allowing the firewall to automatically enforce policy based on the
latest threat intelligence from Palo Alto Networks. You cannot modify
the contents of the built-in lists. Use them as-is (see Enforce
Policy on an External Dynamic List), or create a custom external
dynamic list that uses one of the lists as a source (see Configure
the Firewall to Access an External Dynamic List) and exclude entries from the list as needed.
