) Customize the service route
that the firewall uses to retrieve external dynamic lists.
Service Route Configuration
and modify the
The firewall does not use the
External Dynamic Lists service route to retrieve Built-in External Dynamic Lists; content
updates modify or update the contents of those lists (active Threat
Prevention license required).
Find an external dynamic list to use with the firewall.
Create an external dynamic list and host it on
a web server. Enter IP addresses, domains, or URLs in a blank text
file. Each list entry must be on a separate line. For example:
share the list with all virtual systems on a device that is enabled
for multiple virtual systems. By default, the object is created
on the virtual system that is currently selected in the
As a best practice, Palo Alto Networks recommends
using shared EDLs when multiple virtual systems are used. Using
individual EDLs with duplicate entries for each vsys uses more memory,
which might over-utilize firewall resources.
ensure that a firewall administrator cannot override settings locally
on a firewall that inherits this configuration through a Device
Group commit from Panorama.
you using a Domain List, you can optionally enable
expand to include subdomains
to also include the subdomains
of a specified domain. For example, if your domain list includes
paloaltonetworks.com, all lower level components of the domain name
(e.g., *.paloaltonetworks.com) will also be included as part of the
list. Keep in mind, when this setting is enabled, each domain in
a given list requires an additional entry, effectively doubling
the number of entries that are consumed.
for the list
you just created on the web server. The source must include the
full path to access the list. For example,
If you are creating a Predefined IP external dynamic
list, select a Palo Alto Networks malicious IP address feed to use
as a source.
If you are creating a Predefined URL external dynamic list,
as a source.
If the list source is secured with SSL (i.e. lists with
an HTTPS URL), enable server authentication. Select a
or create a
New Certificate Profile
authenticating the server that hosts the list. The certificate profile
you select must have root certificate authority (CA) and intermediate
CA certificates that match the certificates installed on the server
you are authenticating.
Maximize the number of external
dynamic lists that you can use to enforce policy. Use the same certificate
profile to authenticate external dynamic lists from the same source
URL. If you assign different certificate profiles to external dynamic
lists from the same source URL, the firewall counts each list as a
unique external dynamic list.
Enable client authentication if the list source has an
HTTPS URL and requires basic HTTP authentication for list access.
Enter a valid
Not available on Panorama or for Predefined URL
Test Source URL
that the firewall can connect to the web server.
Test Source URL
is not available when authentication is used for EDL access.
) Specify the frequency at which the
Check for updates
list. By default, the firewall retrieves the list once every hour
and commits the changes.
) EDLs are shown top to bottom, in
order of evaluation. Use the directional controls at the bottom
of the page to change the list order. This allows you to or order
the lists to make sure the most important EDLs are committed before
capacity limits are reached.