An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that can be used in policy rules. You must create this list as a text file and save it to a web server that the firewall can access; the firewall uses the management port to retrieve this list. You can configure the firewall to automatically update the list on a schedule.
You can use an IP address list as an address object in the source and destination in Security policy rules; a URL List in Objects > Security Profiles > URL Filtering or as a match criteria in Security policy rules; a domain list in Objects > Security Profiles > Anti-Spyware Profile for sinkholing the specified domain names.
On each firewall platform, you can configure a maximum of 30 unique sources for external dynamic lists. A source is a URL that includes the IP address or hostname, the path, and the filename for the external dynamic list. The firewall matches the URL (complete string) to determine whether a source is unique.
While the firewall does not impose a limit on the number of lists for a specific type of list, the following limits are enforced:
IP address—The PA-5000 Series and the PA-7000 Series firewalls support a maximum of 150,000 total IP addresses; all other platforms support a maximum of 50,000 total IP addresses. No limits are enforced for the number of IP addresses per list. URLs and domain names—a maximum of 50,000 URLs and 50,000 domains are supported on each platform, with no limits enforced on the number of entries per list.
If you exceed the maximum number of entries that are supported on a platform, the firewall generates a System log and skips the entries that exceed the limit.
The following table describes the external dynamic list settings.
External Dynamic List Setting Description
Name Enter a name to identify the external dynamic list (up to 32 characters). This name will appear when selecting the source or destination in a policy.
Shared Select this option if you want the external dynamic list to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the external dynamic list will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the external dynamic list will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the external dynamic list in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Type You cannot mix IP addresses, URLs, and domains names in a single list. Each list must include entries of only one type. Select from the following types of external dynamic lists: IP Address List —Each list can include IP ranges and IP subnets in the IPv4 and IPv6 address space. The list must contain only one IP address, range, or subnet per line. Example: 192.168.80.150/32 2001:db8:123:1::1 or 2001:db8:123:1::/64 192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through 192.168.80.255) 2001:db8:123:1::1 - 2001:db8:123:1::22 A subnet or an IP address range, such as 92.168.20.0/24 or 192.168.20.40-192.168.20.50, count as one IP address entry and not as multiple IP addresses. Domain List —Each list can have only one domain name entry per line. Example: www.p301srv03.paloalonetworks.com ftp.example.co.uk test.domain.net For the list of domains included in the External Dynamic List, the firewall creates a set of custom signatures of type spyware and medium severity, so that you can use the sinkhole action for a custom list of domains. URL List —Each list can have only one URL entry per line. Example: financialtimes.co.in www.wallaby.au/joey www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx *.example.com/* For each URL list, the default action is set to allow. To edit the default action, see Objects > Security Profiles > URL Filtering.
Description Enter a description for the external dynamic list (up to 255 characters).
Source Enter an HTTP or HTTPS URL path that contains the text file. For example, http://1.1.1.1/myfile.txt.
Frequency Specify the frequency in which the firewall retrieves the list from the web server. You can choose hourly, five-minute, daily, weekly, or monthly. At the configured interval, the firewall retrieves the list and automatically commits the changes to the configuration. Any policy rules that reference the list are updated so that the firewall can successfully enforce policy.
Test Source URL ( Firewall only ) Test that the source URL or server path is available.

Related Documentation