Configure the Firewall to Access an External Dynamic List

You must establish the connection between the firewall and the source that hosts the external dynamic list before you can Enforce Policy on an External Dynamic List.
  1. (
    Optional
    ) Customize the service route that the firewall uses to retrieve external dynamic lists.
    Select
    Device
    Setup
    Services
    Service Route Configuration
    Customize
    and modify the
    External Dynamic Lists
    service route.
    The firewall does not use the External Dynamic Lists service route to retrieve the Palo Alto Networks Malicious IP Address Feeds; it dynamically receives updates to these feeds through daily antivirus content updates (active Threat Prevention license required).
  2. Find an external dynamic list to use with the firewall.
    • Create an external dynamic list and host it on a web server. Enter IP addresses, domains, or URLs in a blank text file. Each list entry must be on a separate line. For example:
      financialtimes.co.in
      www.wallaby.au/joey
      www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx
      *.example.com/*
      abc?*/abc.com
      *&*.net
      See the Formatting Guidelines for an External Dynamic List to ensure that the firewall does not skip list entries. To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries.
    • Use an external dynamic list hosted by another source and verify that it follows the Formatting Guidelines for an External Dynamic List.
  3. Select
    Objects
    External Dynamic Lists
    .
  4. Click
    Add
    and enter a descriptive
    Name
    for the list.
  5. (
    Optional
    ) Select
    Shared
    to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the
    Virtual Systems
    drop-down.
  6. (
    Panorama only
    ) Select
    Disable override
    to ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama.
  7. Select the list
    Type
    (for example,
    URL List
    ).
    Ensure that the list only includes entries for the list type. See Verify whether entries in the external dynamic list were ignored or skipped.
  8. Enter the
    Source
    for the list you just created on the web server. The source must include the full path to access the list. For example,
    https://1.2.3.4/EDL_IP_2015
    .
    If you are creating a list of type Predefined IP, select a Palo Alto Networks malicious IP address feed to use as a source.
  9. If the list source is secured with SSL (i.e. lists with an HTTPS URL), enable server authentication. Select a
    Certificate Profile
    or create a
    New Certificate Profile
    for authenticating the server that hosts the list. The certificate profile you select must have root CA (certificate authority) and intermediate CA certificates that match the certificates installed on the server you are authenticating.
    Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
  10. Enable client authentication if the list source has an HTTPS URL and requires basic HTTP authentication for list access.
    1. Select
      Client Authentication
      .
    2. Enter a valid
      Username
      to access the list.
    3. Enter the
      Password
      and
      Confirm Password
      .
    edl-client-auth.png
  11. (
    Not available on Panorama
    ) Click
    Test Source URL
    to verify that the firewall can connect to the web server.
  12. (
    Optional
    ) Specify the
    Repeat
    frequency at which the firewall retrieves the list. By default, the firewall retrieves the list once every hour and commits the changes.
    The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
  13. Click
    OK
    and
    Commit
    .
  14. If the server or client authentication fails, the firewall ceases to enforce policy based on the last successfully retrieved external dynamic list. Find External Dynamic Lists That Failed Authentication and view the reasons for authentication failure.

Related Documentation