Learn how to block or allow traffic based on IP addresses or URLs in an external
dynamic list, or use a dynamic domain list with a DNS sinkhole to prevent access to
malicious domains.
Block or allow traffic based on IP addresses or URLs in an external dynamic
list, or use a dynamic domain list with a DNS sinkhole to prevent access to
malicious domains.
Tips for enforcing policy on the firewall
with external dynamic lists:
When viewing external dynamic lists on the firewall (
Objects
External Dynamic Lists
), click
List Capacities
to compare how
many IP addresses, domains, and URLs are currently used in policy with the
total number of entries the firewall supports for each list type.
Use Global
Find to search the firewall or Panorama management server for a
domain, IP address, or URL that belongs to one or more external dynamic
lists used in policy. This is useful for determining which external dynamic
list (referenced in a Security policy rule) is causing the firewall to block
or allow a certain domain, IP address, or URL.
Use the directional controls at the bottom of the page to change the evaluation order of external
dynamic lists. This allows you to order the lists to make sure the most
important entries in an external dynamic list are committed before
capacity limits are reached.
To verify the policy rule that matches a flow, select
Device
Troubleshooting
, and execute a Security Policy Match
test:
Use a predefined URL external dynamic list to exclude benign domains that
applications use for background traffic from Authentication policy.
When you select the
panw-auth-portal-exclude-list
external dynamic list type, you can easily exclude from Authentication policy
enforcement the domains that many applications use for background traffic, such
as updates and other trusted services. This ensures that the firewall does not
block the necessary traffic for these services and that application maintenance
is not interrupted.
Select
Policies
Authentication
.
In the
Service/URL Category
tab, select the
predefined URL external dynamic list as the
URL Category
.
In the
Actions
tab, select
default-no-captive-portal
as the
Authentication Enforcement
.
Click
OK
.
Move
the rule to the top so that it's the first
rule in the policy.