Authentication for External Dynamic Lists
When retrieving external dynamic lists hosted on SSL/TLS secured servers (servers with an HTTPS URL), the firewall now validates the digital certificates of the server before proceeding with the retrieval. You must now enable server authentication for these external dynamic lists for the firewall to retrieve them. Additionally, you can now retrieve external dynamic lists hosted on SSL/TLS secured servers that enforce basic HTTP username/password authentication (client authentication). Server authentication prevents man-in-the-middle attacks by ensuring that the firewall retrieves an external dynamic list from a valid source, not a malicious or spoofed server, while client authentication allows you to use more secure sources (such as MineMeld) that limit access to their external dynamic lists to authorized users. If the certificate of an external dynamic list server is expired or revoked, or if you enter incorrect login credentials for the list, authentication fails. The firewall then ceases to enforce policy based on the list contents.
In Panorama, you can use external dynamic lists to enforce policy across multiple firewalls in a device group. Panorama enforces policy without server and client authentication for firewalls running PAN-OS 7.1 and earlier versions.
- Select ObjectsExternal Dynamic Lists, and click on a dynamic IP, domain, or URL list.
- (New) If the server hosting the external dynamic
list is secured with SSL (such as lists with an HTTPS URL), enable
server authentication.You cannot edit or save changes to an external dynamic list with an HTTPS URL if you don’t enable server authentication first.Select an existing Certificate Profile for the list, or create a New Certificate Profile.A certificate profile authenticates a device and its certificates. The certificate profile you select must have a root CA certificate that matches the certificate installed on the server you are authenticating (also an intermediate CA certificate, if the server has one). It is also recommended that you enable CRL and/or OCSP status verification, which checks the revocation status of the server certificates. Learn more about how to configure a certificate profile.If the external dynamic list source has an HTTP URL, you are not required to select a certificate profile. The firewall connects to the server that hosts the external dynamic list without certificate validation.Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
- (New) If the source of the external dynamic
list has an HTTPS URL and requires a username and password for list
access, enable client authentication.
- Select Client Authentication.
- Enter the username and password required by the list source.
- Re-enter the password to confirm it.
- (Optional) Test the connectivity of the firewall
to the server hosting the external dynamic list.Click Test Source URL. A popup indicates whether the server is accessible.The Test Source URL button only verifies that the firewall can connect to the server. It does not check the status of the server’s certificate.
- Save the configuration.Click OK and Commit.
- Find external dynamic lists that failed authentication.External dynamic lists that fail server or client authentication require your immediate attention because the firewall ceases to enforce policy based on their contents. The firewall generates critical system logs to alert you of authentication failure. To manually check if an external dynamic list authenticates successfully, retrieve an external dynamic list from the web server.
Configure the Firewall to Access an External Dynamic List
Configure the Firewall to Access an External Dynamic List You must establish the connection between the firewall and the source that hosts the external dynamic ...
Find External Dynamic Lists That Failed Authentication
Find External Dynamic Lists That Failed Authentication When an external dynamic list that requires SSL fails client or server authentication, the firewall generates a system ...
Disable Authentication for an External Dynamic List
Disable Authentication for an External Dynamic List Palo Alto Networks recommends that you enable authentication for the servers that host the external dynamic lists configured ...
External Dynamic List Enhancements
External Dynamic List Enhancements An external dynamic list is a text file of IP addresses, domains, or URLs hosted on an external web server. You ...
Use an External Dynamic List in Policy
Use an External Dynamic List in Policy An external dynamic list (formerly called dynamic block list) is a text file that you or another source ...
Objects > External Dynamic Lists
Objects > External Dynamic Lists An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names ...
Authentication Features New Authentication Features Description SAML 2.0 Authentication The firewall and Panorama™ can now function as Security Assertion Markup Language (SAML) 2.0 service providers ...
View External Dynamic List Entries
View External Dynamic List Entries Before you Enforce Policy on an External Dynamic List , you can view the contents of an external dynamic list ...
External Dynamic List
External Dynamic List An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import ...