Palo Alto Networks Malicious IP Address Feeds
With an active Threat Prevention subscription, Palo Alto Networks now provides two malicious IP address feeds. These IP address feeds allow you to leverage the latest Palo Alto Networks threat intelligence when blocking traffic by IP address.
- Palo Alto Networks - Known malicious IP addresses—Contains IP addresses that Palo Alto Networks has verified as malicious.
- Palo Alto Networks - High risk IP addresses—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations.
Palo Alto Networks delivers updated versions of the IP address feeds as part of the daily antivirus content updates for the firewall. Entries from the most recent versions of the feeds replace the entries from older versions. The feeds are
predefined, which means that you cannot modify their contents. However, you can create a new external dynamic list that uses either of the predefined IP address feeds as a source. This gives you the flexibility of excluding IP addresses from the feed, if necessary.
Assess your organization’s threat prevention strategy when referencing the Palo Alto Networks malicious and high-risk IP address feeds in security policy rules. Palo Alto Networks employs a variety of safety checks to prevent shared or legitimate IP addresses from being added to the known malicious IP address feed; however, it's possible for an IP address in the feed to be mapped to multiple servers, some of which might not cause malicious behavior. Furthermore, while the high risk IP address feed comes from trusted third-party sources, Palo Alto Networks does not regulate the contents of this feed.
To monitor traffic associated with the known malicious or high-risk IP address feed, create a security policy rule reserved for blocking traffic from the feed, then filter the Traffic log by the rule you created.
- Confirm that the firewall can access the Palo Alto Networks malicious IP address feeds.
- Confirm that you have activated your Threat Prevention subscription on the firewall. Selectto check that your subscription is valid.DeviceLicenses
- Confirm that you have downloaded and installed the latest Antivirus version on your firewall.
- View the contents of the Palo Alto Networks malicious IP address feeds directly on the firewall.View external dynamic list entries for the following malicious IP address feeds:
Filter the list to check that it does not contain IP addresses you need to access.The number of High Risk IP Address Feed items is subject to change.You cannot delete, clone, edit, or exclude IP addresses from a Palo Alto Networks malicious IP address feed.
- Palo Alto Networks - High risk IP addresses
- Palo Alto Networks - Known malicious IP addresses
- (Optional) Create a new external dynamic list that uses a Palo Alto Networks IP address feed as a source.
- In the Type drop-down, selectPredefined IP List.
- Select a Palo Alto Networks IP address feed to use as aSourcefor your external dynamic list.
The firewall updates the custom external dynamic list you just created each time it receives an update for the Palo Alto Networks IP address feed, but your list exceptions are preserved.
- (Optional) Exclude entries from the external dynamic list (new in PAN-OS 8.0).
- Use a Palo Alto Networks malicious IP address feed to block network traffic.Enforce policy on entries in an external dynamic list. Use the known malicious or high-risk IP address feed (or custom list based on either of these feeds) as a source or destination address object in a Security policy rule.
Recommended For You
Recommended videos not found.