Palo Alto Networks Malicious IP Address Feeds

With an active Threat Prevention subscription, Palo Alto Networks now provides two malicious IP address feeds. These IP address feeds allow you to leverage the latest Palo Alto Networks threat intelligence when blocking traffic by IP address.
  • Palo Alto Networks - Known malicious IP addresses—Contains IP addresses that Palo Alto Networks has verified as malicious.
  • Palo Alto Networks - High risk IP addresses—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations.
Palo Alto Networks delivers updated versions of the IP address feeds as part of the daily antivirus content updates for the firewall. Entries from the most recent versions of the feeds replace the entries from older versions. The feeds are predefined, which means that you cannot modify their contents. However, you can create a new external dynamic list that uses either of the predefined IP address feeds as a source. This gives you the flexibility of excluding IP addresses from the feed, if necessary.
Assess your organization’s threat prevention strategy when referencing the Palo Alto Networks malicious and high-risk IP address feeds in security policy rules. Palo Alto Networks employs a variety of safety checks to prevent shared or legitimate IP addresses from being added to the known malicious IP address feed; however, it's possible for an IP address in the feed to be mapped to multiple servers, some of which might not cause malicious behavior. Furthermore, while the high risk IP address feed comes from trusted third-party sources, Palo Alto Networks does not regulate the contents of this feed.
To monitor traffic associated with the known malicious or high-risk IP address feed, create a security policy rule reserved for blocking traffic from the feed, then filter the Traffic log by the rule you created.
  1. Confirm that the firewall can access the Palo Alto Networks malicious IP address feeds.
  2. View the contents of the Palo Alto Networks malicious IP address feeds directly on the firewall.
    View external dynamic list entries for the following malicious IP address feeds:
    • Palo Alto Networks - High risk IP addresses
    • Palo Alto Networks - Known malicious IP addresses
    Filter the list to check that it does not contain IP addresses you need to access.
    edl-filter-entries.png
    If you have an active AutoFocus subscription, hover over any of the IP addresses in the list to open the drop-down and view an AutoFocus Intelligence Summary for it.
    You cannot delete, clone, edit, or exclude IP addresses from a Palo Alto Networks malicious IP address feed.
  3. (Optional) Create a new external dynamic list that uses a Palo Alto Networks IP address feed as a source.
    • In the Type drop-down, select Predefined IP List.
    • Select a Palo Alto Networks IP address feed to use as a Source for your external dynamic list.
    edl-custom-list.png
    The firewall updates the custom external dynamic list you just created each time it receives an update for the Palo Alto Networks IP address feed, but your list exceptions are preserved.
  4. Use a Palo Alto Networks malicious IP address feed to block network traffic.
    Enforce policy on entries in an external dynamic list. Use the known malicious or high-risk IP address feed (or custom list based on either of these feeds) as a source or destination address object in a Security policy rule.

Related Documentation