External Dynamic List Enhancements

An external dynamic list is a text file of IP addresses, domains, or URLs hosted on an external web server. You can configure the firewall to periodically import an external dynamic list and block or allow traffic based on its contents. The following enhancements provide more visibility into the contents of an external dynamic list and the list entries currently used in policy. External dynamic lists also now give you the flexibility to choose list entries to exclude before using a list to enforce policy, while new authentication measures allow you to use external dynamic lists more securely. Lastly, you can now protect your network against malicious hosts by using new dynamic IP address lists that Palo Alto Networks maintains.
  • Use one of the Palo Alto Networks Malicious IP Address Feeds as a source for the external dynamic list.
    1. Select ObjectsExternal Dynamic List.
    2. Click Add.
    3. When setting the details for the new external dynamic list, select the new external dynamic list Type Predefined IP List.
      edl-enhancement-1.png
    4. Select a Palo Alto Networks malicious IP address feed as the list Source.
    5. Click OK.
  • Enable Authentication for External Dynamic Lists.
    Server authentication ensures that your firewall retrieves external dynamic lists from valid sources. Client authentication enables you to use external dynamic lists from more secure sources that require a username and password to restrict list access.
    1. Select ObjectsExternal Dynamic List.
    2. Click on an external dynamic list to view the list settings.
    3. Select a Certificate Profile for authenticating the web server that hosts the external dynamic list.
    4. If the external dynamic list source requires a username and password to access the list, select Client Authentication and enter login credentials for the list.
      edl-client-auth.png
    5. Click OK.
  • View external dynamic list entries directly on the firewall.
    1. Select ObjectsExternal Dynamic List.
    2. Click on an external dynamic list to view the list settings.
    3. Click List Entries and Exceptions and view the entries from the most recent version of the list that the firewall retrieved.
      edl-enhancement-3.png
      View AutoFocus threat intelligence for an external dynamic list entry to assess its pervasiveness and risk in your network. Click the drop-down next to a list entry, and click AutoFocus. To use this feature, you must have an active AutoFocus subscription and enable AutoFocus threat intelligence on the firewall.
  • Exclude entries from an external dynamic list.
    This is useful if you want to block or allow traffic based on some but not all of the entries in a list.
    1. View external dynamic list entries directly on the firewall.
    2. Add an entry to the Manual Exceptions list.
      1. Select a list entry and click Submit ( Submit_icon.png ).
      2. Click Add and manually enter a value (refer to formatting guidelines for an external dynamic list). A manual exception must match a list entry exactly. For example, if one of the entries in an external dynamic list is the IP address range 1.1.1.1-3.3.3.3 and you manually enter 2.2.2.2 as an exception, the firewall will not consider it an exception unless 2.2.2.2 is also a list entry.
        You can add up to 100 exceptions to an external dynamic list. You cannot save your changes to the external dynamic list if you have duplicate entries in the list of exceptions. The firewall marks duplicate entries with a red underline.
  • Check the number of external dynamic list entries used in policy to make sure you don’t go over the firewall limit.
    In PAN-OS 8.0, you can reference a total of 30 external dynamic lists with unique sources across all security policy rules. In addition, external dynamic list entries (IP addresses, domain, and URLs) now only count toward the maximum number supported by the firewall if they belong to lists referenced in Security policy rules you enforce on the firewall.
    1. Select ObjectsExternal Dynamic List.
    2. Click List Capacities.
      Compare how many IP addresses, domains, and URLs are currently used in policy against the total number of entries that the firewall supports for each list type. Since these values vary from firewall to firewall, the List Capacities window is not available on Panorama.
      Predefined IPs displays the number of IP addresses in the most recent Palo Alto Networks Malicious IP Address Feeds saved to your firewall, even if they are not used in policy.
      edl-list-capacities.png
  • Use Global Find to check if a domain, IP address, or URL belongs to one or more external dynamic lists used in policy.
    This feature is useful for determining which external dynamic list (referenced in a Security policy rule) is causing the firewall to block or allow a certain domain, IP address, or URL. You can use Global Find from any page on the firewall.
    1. Click Search.
    2. Enter an IP address, domain, or URL, and click the spyglass to start the search.
      If you enter an IP address that falls within an IP address range entry in an external dynamic list, Global Find will not associate the IP address with the external dynamic list. For example, if you search for the IP address 2.2.2.2 and there is an external dynamic list with the entry 1.1.1.1-3.3.3.3, the search results for 2.2.2.2 do not include that external dynamic list.
    3. If the IP address, domain, or URL is in an external dynamic list that is used in policy, the search results include the new category External Dynamic Lists. Expand this category to view which external dynamic lists contain the value you entered.
      If an IP address, domain, or URL is a list exception and you search for it in Global Find, the search results still include the external dynamic list(s) from which it is excluded.
      edl-global-find.png

Related Documentation