Enforce Policy on Entries in an External Dynamic List
- Create the external dynamic list and host it on a web server so that the firewall can retrieve the list for policy evaluation.Create a text file and enter the URLs, domains, or IP addresses in the file.
- Configure the firewall to access the external dynamic list.
- Select.ObjectsExternal Dynamic Lists
- ClickAddand enter a descriptiveNamefor the list.
- (Optional) SelectSharedto share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in theVirtual Systemsdrop-down.
- (Panorama only) SelectDisable overrideto ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama.
- In the Type drop-down, select the list type, for example,URL List.
- Enter theSourcefor the list you just created on the web server. The source must include the full path to access the list. For example, https://22.214.171.124/EDL_IP_2015.
- ClickTest Source URLto verify that the firewall (not available on Panorama) can connect to the web server.If the web server is unreachable after the connection is established, the firewall uses the last successfully retrieved list for enforcing policy until the connection is restored with the web server.
- (Optional) Specify theRepeatfrequency at which the firewall retrieves the list. By default, the firewall retrieves the list once every hour and commits the changes.The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
- Use the external dynamic list in a security profile or directly in a policy rule, as supported. See the following:
- Use an external dynamic list of Type URL as Match Criteria in a Security Policy Rule.
- ClickAddand enter a descriptiveNamefor the rule.
- In theSourcetab, select theSource Zone.
- In theDestinationtab, select theDestination Zone.
- In theService/URL Categorytab, clickAddto select the appropriate external dynamic list from the URL Category list.
- In theActionstab, set theAction SettingtoAlloworDeny.
- Verify whether entries in the external dynamic list were ignored or skipped.Use the following CLI command on a firewall to review the details for a list.request system external-list show type <domain | ip | url> name_of_ list For example: request system external-list show type url EBL_ISAC_Alert_List
- Test that the policy action is enforced.
- Attempt to access a URL that is included in the external dynamic list.
- Verify that the action you defined is enforced in the browser.
- To monitor the activity on the firewall:
- SelectACCand add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
- Selectto access the detailed log view.MonitorLogsURL Filtering
- Use an external dynamic list of Type IP as a Source or Destination Address Object in a Security Policy Rule.This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit.
- Click Add and give the rule a descriptive name in the General tab.
- In the Source tab, select the Source Zone and optionally select the external dynamic list as the Source Address.
- In the Destination tab, select the Destination Zone and optionally select the external dynamic list as the Destination Address.
- In the Service/ URL Category tab, make sure the Service is set to application-default.
- In the Actions tab, set the Action Setting toAlloworDeny.Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses.
- Leave all the other options at the default values.
- ClickOKto save the changes.
- Committhe changes.
- Test that the policy action is enforced.
- Access a IP address that is included in the external dynamic list and verify that action you defined is enforced.
- Selectand view the log entry for the session.MonitorLogsTraffic
- To verify the policy rule that matches a flow, use the following CLI command:test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>
Recommended For You
Recommended videos not found.