With an active Threat Prevention license, Palo Alto
Networks provides two feeds with malicious IP addresses that you
can use to secure your network against malicious hosts.
Palo Alto Networks Known Malicious IP Addresses
IP addresses that are verified malicious based on WildFire analysis,
Unit 42 research, and data gathered from telemetry (Share
Threat Intelligence with Palo Alto Networks). Attackers use
these IP addresses almost exclusively to distribute malware, initiate
command-and-control activity, and launch attacks.
Palo Alto Networks High-Risk IP Addresses
malicious IP addresses from threat advisories issued by trusted
third-party organizations. Palo Alto Networks compiles the list
of threat advisories, but does not have direct evidence of the maliciousness
of the IP addresses.
The firewall receives updates for these feeds through daily antivirus
content updates, allowing you to enforce security policy on the
firewall based on the latest threat intelligence from Palo Alto
Networks. The Palo Alto Networks IP address feeds are predefined,
which means that you cannot modify their contents. You can use them
as-is (see Enforce
Policy on an External Dynamic List), or create a custom external
dynamic list that uses either feed as a source (see Configure
the Firewall to Access an External Dynamic List) and exclude entries from the list as needed.