Enforce Policy on Entries in an External Dynamic List

  1. Create the external dynamic list and host it on a web server so that the firewall can retrieve the list for policy evaluation.
    Create a text file and enter the URLs, domains, or IP addresses in the file.
    To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries. See Formatting Guidelines for an External Dynamic List.
    Use MineMeld to generate an external dynamic list based on the contents of multiple threat feeds.
  2. Configure the firewall to access the external dynamic list.
    1. Select
      Objects
      External Dynamic Lists
      .
    2. Click
      Add
      and enter a descriptive
      Name
      for the list.
    3. (
      Optional
      ) Select
      Shared
      to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the
      Virtual Systems
      drop-down.
    4. (
      Panorama only
      ) Select
      Disable override
      to ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama.
    5. In the Type drop-down, select the list type, for example,
      URL List
      .
      Ensure that the list only includes entries for the list type. See 3.h
    6. Enter the
      Source
      for the list you just created on the web server. The source must include the full path to access the list. For example, https://1.2.3.4/EDL_IP_2015.
    7. Click
      Test Source URL
      to verify that the firewall (not available on Panorama) can connect to the web server.
      If the web server is unreachable after the connection is established, the firewall uses the last successfully retrieved list for enforcing policy until the connection is restored with the web server.
    8. (
      Optional
      ) Specify the
      Repeat
      frequency at which the firewall retrieves the list. By default, the firewall retrieves the list once every hour and commits the changes.
      The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
    9. Click
      OK
      .
  3. Use an external dynamic list of Type URL as Match Criteria in a Security Policy Rule.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      and enter a descriptive
      Name
      for the rule.
    3. In the
      Source
      tab, select the
      Source Zone
      .
    4. In the
      Destination
      tab, select the
      Destination Zone
      .
    5. In the
      Service/URL Category
      tab, click
      Add
      to select the appropriate external dynamic list from the URL Category list.
    6. In the
      Actions
      tab, set the
      Action Setting
      to
      Allow
      or
      Deny
      .
    7. Click
      OK
      and
      Commit
      .
    8. Verify whether entries in the external dynamic list were ignored or skipped.
      Use the following CLI command on a firewall to review the details for a list.
      request system external-list show type <domain | ip | url> name_of_ list For example: request system external-list show type url EBL_ISAC_Alert_List
    9. Test that the policy action is enforced.
      1. Attempt to access a URL that is included in the external dynamic list.
      2. Verify that the action you defined is enforced in the browser.
      3. To monitor the activity on the firewall:
      4. Select
        ACC
        and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
      5. Select
        Monitor
        Logs
        URL Filtering
        to access the detailed log view.
  4. Use an external dynamic list of Type IP as a Source or Destination Address Object in a Security Policy Rule.
    This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit.
    1. Select
      Policies
      Security
      .
    2. Click Add and give the rule a descriptive name in the General tab.
    3. In the Source tab, select the Source Zone and optionally select the external dynamic list as the Source Address.
    4. In the Destination tab, select the Destination Zone and optionally select the external dynamic list as the Destination Address.
    5. In the Service/ URL Category tab, make sure the Service is set to application-default.
    6. In the Actions tab, set the Action Setting to
      Allow
      or
      Deny
      .
      Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses.
    7. Leave all the other options at the default values.
    8. Click
      OK
      to save the changes.
    9. Commit
      the changes.
    10. Test that the policy action is enforced.
      1. Access a IP address that is included in the external dynamic list and verify that action you defined is enforced.
      2. Select
        Monitor
        Logs
        Traffic
        and view the log entry for the session.
      3. To verify the policy rule that matches a flow, use the following CLI command:
        test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>

Related Documentation