Objects > External Dynamic Lists
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Objects > External Dynamic Lists
An external dynamic list is
an address object based on an imported list of IP addresses, URLs,
domain names, International Mobile Equipment Identities (IMEIs),
or International Mobile Subscriber Identities (IMSIs) that you can
use in policy rules to block or allow traffic. This list must be
a text file saved to a web server that is accessible by the firewall.
By default, the firewall uses the management (MGT) interface to
retrieve this list.
With an active Threat Prevention license, Palo Alto Networks
provides multiple built-in dynamic IP lists that you can
use to block malicious hosts. We update the lists daily based
on our latest threat research.
You can use an IP address list as an address object in the source
and destination of your policy rules; you can use a URL list in
a URL Filtering profile (Objects
> Security Profiles > URL Filtering) or as match criteria
in Security policy rules; and you can use a domain list (Objects
> Security Profiles > Anti-Spyware Profile) as a sinkhole
for specified domain names.
On each firewall model, you can use up to 30 external dynamic
lists with unique sources across all Security policy rules. The
maximum number of entries that the firewall supports for each list
type varies based on the firewall model (refer to the different
firewall limits for each external dynamic list type).
List entries count toward the maximum only if the external dynamic
list is used in a policy rule. If you exceed the maximum number
of entries the model supports, the firewall generates a System log
and skips the entries that exceed the limit. To check the number
of IP addresses, domains, URLs, IMEIs, and IMSIs currently used
in policy rules and the total number supported on the firewall,
select List Capacities (firewall only).
The external dynamic lists display in the order they are evaluated,
from top to bottom. To reorder the lists, use the directional controls
at the bottom of the page. You can move the external dynamic lists
with the most important entries to the top to ensure they are committed
before you reach capacity limits.
You cannot change the order of your external dynamic lists
when Group By Type is enabled.
To retrieve the latest version of an external dynamic list from
the server that hosts it, select the external dynamic list and click Import Now.
You cannot delete, clone, or edit the settings of the Palo
Alto Networks malicious IP address feeds.
Add a new external dynamic list and configure
the settings described in the table below.
External Dynamic List
Settings | Description |
---|---|
Name | Enter a name to identify the external dynamic
list (up to 32 characters). This name identifies the list for policy
rule enforcement. |
Shared (Multiple virtual systems
(multi-vsys) and Panorama only) | Enable this option if you want the external
dynamic list to be available to:
|
Disable override (Panorama only) | Enable this option to prevent administrators
from overriding the settings of this external dynamic list object
in device groups that inherit the object. This option is disabled
(cleared) by default, which means administrators can override the
settings for any device group that inherits the object. |
Test Source URL (Firewall only) | Test Source URL to
verify that the firewall can connect to the server that hosts the
external dynamic list. This test does not check whether
the server authenticates successfully. |
Create List Tab | |
Type You cannot mix IP addresses, URLs,
and domain names in a single list. Each list must include entries
of only one type. | Select from the following types of external
dynamic lists:
|
Type (cont) |
|
Description | Enter a description for the external dynamic
list (up to 255 characters). |
Source |
If
your external dynamic list contains subdomains, these expanded entries
count towards your appliance model capacity count. To manually define
subdomains, you can disable this feature. However, if you disable
this feature, subdomains will not be evaluated by policy rules unless
you explicitly define them in the list. |
Certificate Profile (IP List, Domain
List, or URL List only) | If the external dynamic list has an HTTPS
URL, select an existing certificate profile (firewall and Panorama)
or create a new Certificate Profile (firewall
only) for authenticating the web server that hosts the list.
For more information on configuring a certificate profile, see Device
> Certificate Management > Certificate Profile. Default: None
(Disable Cert profile) To
maximize the number of external dynamic lists you can use to enforce
policy, use the same certificate profile to authenticate external
dynamic lists from the same source URL. These lists count as only
one external dynamic list. Otherwise, external dynamic lists from
the same source URL that use different certificate profiles count
as unique external dynamic lists. |
Client Authentication | Enable this option (disabled by default)
to add a username and password that the firewall will use when accessing
an external dynamic list source that requires basic HTTP authentication.
This setting is available only when the external dynamic list has
an HTTPS URL.
|
Check for updates | Specify the frequency at which the firewall
retrieves the list from the web server. You can set the interval
to Every Five Minutes (default), Hourly, Daily, Weekly,
or Monthly. The interval is relative to the last
commit. For example, if you select the five-minute interval, a commit
occurs in 5 minutes if the last commit was an hour ago. The commit
updates all policy rules that reference the list. You
do not have to specify a frequency for a predefined IP list because
the firewall dynamically receives content updates with an active
Threat Prevention license. |
List Entries and Exceptions Tab | |
List Entries | Displays the entries in the external dynamic
list.
|
Manual Exceptions | Displays exceptions to the external dynamic
list.
|