Enforce Policy on an External Dynamic List
Focus
Focus

Enforce Policy on an External Dynamic List

Table of Contents

Enforce Policy on an External Dynamic List

Learn how to block or allow traffic based on IP addresses or URLs in an external dynamic list, or use a dynamic domain list with a DNS sinkhole to prevent access to malicious domains.
Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use a dynamic domain list with a DNS sinkhole to prevent access to malicious domains.
Tips for enforcing policy on the firewall with external dynamic lists:
  • When viewing external dynamic lists on the firewall (
    Objects
    External Dynamic Lists
    ), click
    List Capacities
    to compare how many IP addresses, domains, and URLs are currently used in policy with the total number of entries the firewall supports for each list type.
  • Use Global Find to search the firewall or Panorama management server for an IP address that belongs to one or more external dynamic lists used in the policy. This is useful for determining which external dynamic list (referenced in a Security policy rule) is causing the firewall to block or allow a certain domain, IP address, or URL.
  • Use the directional controls at the bottom of the page to change the evaluation order of external dynamic lists. This allows you to or order the lists to make sure the most important entries in an external dynamic list are committed before capacity limits are reached.
    You can only change the order of the lists when
    Group By Type
    is deselected.
  • Use an external dynamic list of URL type as match criteria in a Security policy rule.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      , and enter a descriptive
      Name
      for the rule.
    3. In the
      Source
      tab, select a
      Source Zone
      .
    4. In the
      Destination
      tab, select a
      Destination Zone
      .
    5. In the
      Service/URL Category
      tab, click
      Add
      to select an external dynamic list for use as
      URL Category
      match criteria.
    6. In the
      Actions
      tab, set Action Setting to
      Allow
      or
      Deny
      .
    7. Click
      OK
      , and
      Commit
      your changes.
    8. Verify whether entries in the external dynamic list were ignored or skipped.
      Use the following CLI command on a firewall to review the details for a list.
      request system external-list show type
      <domain
      |
      ip
      |
      url> name_of_list
      For example:
      request system external-list show type url EBL_ISAC_Alert_List
    9. Test that the policy action is enforced.
      1. View external dynamic list entries and attempt to access a URL from the list.
      2. Verify that the action you defined is enforced.
      3. To monitor the activity on the firewall:
        • Select
          ACC
          , and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
        • Select
          Monitor
          Logs
          URL Filtering
          to access the detailed log view.
  • Use an external dynamic list of IP address type as a Source or Destination Address Object in a Security policy rule.
    This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      , and enter a descriptive
      Name
      for the rule.
    3. In the
      Source
      and
      Destination
      tabs, select an external dynamic list for
      Source Address
      and
      Destination Address
      .
    4. In the
      Service/URL Category
      tab, set
      Service
      to
      application-default
      .
    5. In the Actions tab, set Action Setting to
      Allow
      or
      Deny
      .
      Create separate external dynamic lists to specify allow and deny actions for specific IP addresses.
    6. Leave all the other options at the default values.
    7. Click
      OK
      , and
      Commit
      your changes.
    8. Test that the policy action is enforced.
      1. View external dynamic list entries and attempt to access an IP address from the list.
      2. Verify that the defined action is enforced.
      3. Select
        Monitor
        Logs
        Traffic
        and view the log entry for the session.
      4. To verify the policy rule that matches a flow, select
        Device
        Troubleshooting
        , and execute a Security Policy Match test:
  • Use a predefined URL external dynamic list to exclude benign domains that applications use for background traffic from Authentication policy.
    When you select the
    panw-auth-portal-exclude-list
    external dynamic list type, you can easily exclude from Authentication policy enforcement the domains that many applications use for background traffic, such as updates and other trusted services. This ensures that the firewall does not block the necessary traffic for these services and that application maintenance is not interrupted.
    1. Select
      Policies
      Authentication
      .
    2. In the
      Service/URL Category
      tab, select the predefined URL external dynamic list as the
      URL Category
      .
    3. In the
      Actions
      tab, select
      default-no-captive-portal
      as the
      Authentication Enforcement
      .
    4. Click
      OK
      .
    5. Move
      the rule to the top so that it's the first rule in the policy.
    6. Commit
      your changes.

Recommended For You