Configure the Firewall to Access an External Dynamic List
You must establish the connection between the firewall and the source that hosts the external dynamic list before you can Enforce Policy on an External Dynamic List.
- (Optional) Customize the service route
that the firewall uses to retrieve external dynamic lists.By default, the firewall uses the management interface to access external services. Additionally, external dynamic lists are considered a Palo Alto Networks service. So if you’ve customized the service route that the firewall uses for all Palo Alto Networks, external dynamic lists will use that service route:If you’d like for the firewall to use a different service route to update external dynamic lists than the route it uses for other Palo Alto Networks services, select DeviceSetupServicesService Route ConfigurationCustomize and modify the External Dynamic Lists service route.The firewall does not use the External Dynamic Lists service route to retrieve the Palo Alto Networks Malicious IP Address Feeds; it dynamically receives updates to these feeds through daily antivirus content updates (active Threat Prevention license required).
- Find an external dynamic list to use with the firewall.
- Create an external dynamic list and host it on a web server. Enter IP addresses, domains, or URLs in a blank text file. Each list entry must be on a separate line. For example:financialtimes.co.inwww.wallaby.au/joeywww.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx*.example.com/*abc?*/abc.com*&*.netSee the Formatting Guidelines for an External Dynamic List to ensure that the firewall does not skip list entries. To prevent commit errors and invalid entries, do not prefix http:// or https:// to any of the entries.
- Use an external dynamic list hosted by another source and verify that it follows the Formatting Guidelines for an External Dynamic List.
- Select ObjectsExternal Dynamic Lists.
- Click Add and enter a descriptive Name for the list.
- (Optional) Select Shared to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the Virtual Systems drop-down.
- (Panorama only) Select Disable override to ensure that a firewall administrator cannot override settings locally on a firewall that inherits this configuration through a Device Group commit from Panorama.
- Select the list Type (for example, URL
List).Ensure that the list only includes entries for the list type. See Verify whether entries in the external dynamic list were ignored or skipped.
- Enter the Source for the list
you just created on the web server. The source must include the
full path to access the list. For example, https://126.96.36.199/EDL_IP_2015.If you are creating a list of type Predefined IP, select a Palo Alto Networks malicious IP address feed to use as a source.
- If the list source is secured with SSL (i.e. lists with
an HTTPS URL), enable server authentication. Select a Certificate Profile or
create a New Certificate Profile for authenticating
the server that hosts the list. The certificate profile you select must
have root CA (certificate authority) and intermediate CA certificates
that match the certificates installed on the server you are authenticating.Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
- Enable client authentication if the list source has an
HTTPS URL and requires basic HTTP authentication for list access.
- Select Client Authentication.
- Enter a valid Username to access the list.
- Enter the Password and Confirm Password.
- (Not available on Panorama) Click Test Source URL to verify that the firewall can connect to the web server.
- (Optional) Specify the Repeat frequency
at which the firewall retrieves the list. By default, the firewall retrieves
the list once every hour and commits the changes.The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. To retrieve the list immediately, see Retrieve an External Dynamic List from the Web Server.
- Click OK and Commit.
Policy on an External Dynamic List.If the server or client authentication fails, the firewall ceases to enforce policy based on the last successfully retrieved external dynamic list. Find External Dynamic Lists That Failed Authentication and view the reasons for authentication failure.
Use an External Dynamic List in Policy
Use an External Dynamic List in Policy An external dynamic list (formerly called dynamic block list) is a text file that you or another source ...
Objects > External Dynamic Lists
Objects > External Dynamic Lists An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names ...
External Dynamic List
External Dynamic List An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import ...
View External Dynamic List Entries
View External Dynamic List Entries Before you Enforce Policy on an External Dynamic List , you can view the contents of an external dynamic list ...
Find External Dynamic Lists That Failed Authentication
Find External Dynamic Lists That Failed Authentication When an external dynamic list that requires SSL fails client or server authentication, the firewall generates a system ...
Disable Authentication for an External Dynamic List
Disable Authentication for an External Dynamic List Palo Alto Networks recommends that you enable authentication for the servers that host the external dynamic lists configured ...
Enforce Policy on an External Dynamic List
Enforce Policy on an External Dynamic List Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use an ...
Use an External Dynamic List in a URL Filtering Profile
Use an External Dynamic List in a URL Filtering Profile An External Dynamic List is a text file that is hosted on an external web ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...