Enforce Policy on an External Dynamic List

Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use an dynamic domain list with a DNS sinkhole to prevent access to malicious domains. Refer to the table below for the ways you can use external dynamic lists to enforce policy on the firewall.
  • Use an External Dynamic List of Type URL as Match Criteria in a Security Policy Rule.
    1. Select
      Policies
      Security
      .
    2. Click
      Add
      and enter a descriptive
      Name
      for the rule.
    3. In the
      Source
      tab, select the
      Source Zone
      .
    4. In the
      Destination
      tab, select the
      Destination Zone
      .
    5. In the
      Service/URL Category
      tab, click
      Add
      to select the appropriate external dynamic list from the URL Category list.
    6. In the
      Actions
      tab, set the
      Action Setting
      to
      Allow
      or
      Deny
      .
    7. Click
      OK
      and
      Commit
      .
    8. Verify whether entries in the external dynamic list were ignored or skipped.
      Use the following CLI command on a firewall to review the details for a list.
      request system external-list show type
      <domain
      |
      ip
      |
      url> name_of_list
      For example:
      request system external-list show type url EBL_ISAC_Alert_List
    9. Test that the policy action is enforced.
      1. View External Dynamic List Entries for the URL list, and attempt to access a URL from the list.
      2. Verify that the action you defined is enforced.
      3. To monitor the activity on the firewall:
        • Select
          ACC
          and add a URL Domain as a global filter to view the Network Activity and Blocked Activity for the URL you accessed.
        • Select
          Monitor
          Logs
          URL Filtering
          to access the detailed log view.
  • Use an External Dynamic List of Type IP or Predefined IP as a Source or Destination Address Object in a Security Policy Rule.
    This capability is useful if you deploy new servers and want to allow access to the newly deployed servers without requiring a firewall commit.
    1. Select
      Policies
      Security
      .
    2. Click Add and give the rule a descriptive name in the General tab.
    3. In the Source tab, select the Source Zone and optionally select the external dynamic list as the Source Address.
    4. In the Destination tab, select the Destination Zone and optionally select the external dynamic list as the Destination Address.
    5. In the Service/ URL Category tab, make sure the Service is set to application-default.
    6. In the Actions tab, set the Action Setting to
      Allow
      or
      Deny
      .
      Create separate external dynamic lists if you want to specify allow and deny actions for specific IP addresses.
    7. Leave all the other options at the default values.
    8. Click
      OK
      to save the changes.
    9. Commit
      the changes.
    10. Test that the policy action is enforced.
      1. View External Dynamic List Entries for the external dynamic list, and attempt to access an IP address from the list.
      2. Verify that the action you defined is enforced.
      3. Select
        Monitor
        Logs
        Traffic
        and view the log entry for the session.
      4. To verify the policy rule that matches a flow, use the following CLI command:
        test security-policy-match source
        <IP_address>
        destination
        <IP_address>
        destination port
        <port_number>
        protocol
        <protocol_number>
      Tips for enforcing policy on the firewall with external dynamic lists:
      • When viewing external dynamic lists on the firewall (
        Objects
        External Dynamic Lists
        ), click
        List Capacities
        to compare how many IP addresses, domains, and URLs are currently used in policy with the total number of entries that the firewall supports for each list type.
      • Use Global Find to Search the Firewall or Panorama Management Server for a domain, IP address, or URL that belongs to one or more external dynamic lists is used in policy. This is useful for determining which external dynamic list (referenced in a Security policy rule) is causing the firewall to block or allow a certain domain, IP address, or URL.

Related Documentation