Objects > External Dynamic Lists
An external dynamic list is an address object based on an imported list of IP addresses, URLs, domain names, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall. By default, the firewall uses the management (MGT) interface to retrieve this list.
With an active Threat Prevention license, Palo Alto Networks provides multiple built-in dynamic IP lists that you can use to block malicious hosts. We update the lists daily based on our latest threat research.
You can use an IP address list as an address object in the source and destination of your policy rules; you can use a URL List in a URL Filtering profile (Objects > Security Profiles > URL Filtering) or as a match criteria in Security policy rules; and you can use a domain list (Objects > Security Profiles > Anti-Spyware Profile) as a sinkhole for specified domain names.
On each firewall model, you can use up to 30 external dynamic lists with unique sources across all Security policy rules. The maximum number of entries that the firewall supports for each list type varies based on the firewall model (refer to the different firewall limits for each external dynamic list type). List entries count toward the maximum limit only if the external dynamic list is used in a policy rule. If you exceed the maximum number of entries that are supported on a firewall model, the firewall generates a System log and skips the entries that exceed the limit. To check the number of IP addresses, domains, URLs, IMEIs, and IMSIs currently used in policy rules and the total number supported on the firewall, select
The external dynamic lists are shown in the order they are evaluated from top to bottom. Use the directional controls at the bottom of the page to change the list order. This enables you to reorder the lists to make sure that the most important entries in an external dynamic list are committed before you reach capacity limits.
You cannot change the external dynamic list order when lists are grouped by type.
To retrieve the latest version of the external dynamic list from the server that hosts it, select an external dynamic list and
You cannot delete, clone, or edit the settings of the Palo Alto Networks malicious IP address feeds.
Adda new external dynamic list and configure the settings described in the table below.
External Dynamic List Settings
Enter a name to identify the external dynamic list (up to 32 characters). This name identifies the list for policy rule enforcement.
Multiple virtual systems (multi-vsys) and Panorama only)
Enable this option if you want the external dynamic list to be available to:
Disable override (
Enable this option to prevent administrators from overriding the settings of this external dynamic list object in device groups that inherit the object. This option is disabled (cleared) by default, which means administrators can override the settings for any device group that inherits the object.
Test Source URL (
Test Source URLto verify that the firewall can connect to the server that hosts the external dynamic list.
This test does not check whether the server authenticates successfully.
Create List Tab
You cannot mix IP addresses, URLs, and domain names in a single list. Each list must include entries of only one type.
Select from the following types of external dynamic lists:
Enter a description for the external dynamic list (up to 255 characters).
If your external dynamic list contains subdomains, these expanded entries count towards your appliance model capacity count. You can disable this feature if you want to manually define subdomains. However, subdomains that are not explicitly defined in the list are not evaluated by policy rules.
IP List, Domain List, or URL List only)
If the external dynamic list has an HTTPS URL, select an existing certificate profile (
firewall and Panorama) or create a new
firewall only) for authenticating the web server that hosts the list. For more information on configuring a certificate profile, see Device > Certificate Management > Certificate Profile.
None (Disable Cert profile)
To maximize the number of external dynamic lists that you can use to enforce policy, use the same certificate profile to authenticate external dynamic lists that use the same source URL so that the lists count as only one external dynamic list. External dynamic lists from the same source URL that use different certificate profiles are counted as unique external dynamic lists.
Enable this option (disabled by default) to add a username and password that the firewall will use when accessing an external dynamic list source that requires basic HTTP authentication. This setting is available only when the external dynamic list has an HTTPS URL.
Check for updates
Specify the frequency at which the firewall retrieves the list from the web server. You can set the interval to every
Every Five Minutes(default),
Monthly, at which the firewall retrieves the list. The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. The commit updates all policy rules that reference the list so that the firewall can successfully enforce policy rules.
You do not have to configure a frequency for a predefined IP list because the firewall dynamically receives content updates with an active Threat Prevention license.
List Entries and Exceptions Tab
Displays the entries in the external dynamic list.
Displays exceptions to the external dynamic list.
Recommended For You
Recommended videos not found.