dy
Enforce Policy on Entries in an External Dynamic List
Create the external dynamic list and host it on a web server so that the firewall can retrieve the list for policy evaluation. Create a text file and enter the URLs, domains, or IP addresses in the file. To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries. See Formatting Guidelines for an External Dynamic List. Use MineMeld to generate an external dynamic list based on the contents of multiple threat feeds.
Configure the firewall to access the external dynamic list. Select Objects > External Dynamic Lists. Click Add and enter a descriptive Name for the list. ( Optional ) Select Shared to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the Virtual Systems drop-down. ( Panorama only ) Select Disable override to ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama. In the Type drop-down, select the list type, for example, URL List. Ensure that the list only includes entries for the list type. See Verify whether entries in the external dynamic list were ignored or skipped. Enter the Source for the list you just created on the web server. The source must include the full path to access the list. For example, https://1.2.3.4/EDL_IP_2015. Click Test Source URL to verify that the firewall (not available on Panorama) can connect to the web server. If the web server is unreachable after the connection is established, the firewall uses the last successfully retrieved list for enforcing policy until the connection is restored with the web server. ( Optional ) Specify the Repeat frequency at which the firewall retrieves the list. By default, the firewall retrieves the list once every hour and commits the changes. The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server. Click OK. Use the external dynamic list in a security profile or directly in a policy rule, as supported. See the following: Use an External Dynamic List in a URL Filtering Profile. Configure DNS Sinkholing for a List of Custom Domains Use an external dynamic list of Type URL as Match Criteria in a Security Policy Rule. Use an external dynamic list of Type IP as a Source or Destination Address Object in a Security Policy Rule.
Use an external dynamic list of Type URL as Match Criteria in a Security Policy Rule. You can also Use an External Dynamic List in a URL Filtering Profile . Select Policies > Security. Click Add and enter a descriptive Name for the rule. In the Source tab, select the Source Zone. In the Destination tab, select the Destination Zone. In the Service/URL Category tab, click Add to select the appropriate external dynamic list from the URL Category list. In the Actions tab, set the Action Setting to Allow or Deny. Click OK and Commit. Verify whether entries in the external dynamic list were ignored or skipped. Use the following CLI command on a firewall to review the details for a list. request system external-list show type <domain | ip | url> name_of_ list For example: request system external-list show type url EBL_ISAC_Alert_List Test that the policy action is enforced. Attempt to access a URL that is included in the external dynamic list. Verify that the action you defined is enforced in the browser. To monitor the activity on the firewall: Select ACC and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed. Select Monitor > Logs > URL Filtering to access the detailed log view.
Use an external dynamic list of Type IP as a Source or Destination Address Object in a Security Policy Rule. This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit. Select Policies > Security. Click Add and give the rule a descriptive name in the General tab. In the Source tab, select the Source Zone and optionally select the external dynamic list as the Source Address. In the Destination tab, select the Destination Zone and optionally select the external dynamic list as the Destination Address. In the Service/ URL Category tab, make sure the Service is set to application-default. In the Actions tab, set the Action Setting to Allow or Deny. Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses. Leave all the other options at the default values. Click OK to save the changes. Commit the changes. Test that the policy action is enforced. Access a IP address that is included in the external dynamic list and verify that action you defined is enforced. Select Monitor > Logs > Traffic and view the log entry for the session. To verify the policy rule that matches a flow, use the following CLI command: test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>

Related Documentation