Palo Alto Networks Malicious IP Address Feeds

With an active Threat Prevention license, Palo Alto Networks provides two feeds with malicious IP addresses that you can use to secure your network against malicious hosts.
  • Palo Alto Networks Known Malicious IP Addresses—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry (Share Threat Intelligence with Palo Alto Networks). Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.
  • Palo Alto Networks High-Risk IP Addresses—Contains malicious IP addresses from threat advisories issued by trusted third-party organizations. Palo Alto Networks compiles the list of threat advisories, but does not have direct evidence of the maliciousness of the IP addresses.
The firewall receives updates for these feeds through daily antivirus content updates, allowing you to enforce security policy on the firewall based on the latest threat intelligence from Palo Alto Networks. The Palo Alto Networks IP address feeds are predefined, which means that you cannot modify their contents. You can use them as-is (see Enforce Policy on an External Dynamic List), or create a custom external dynamic list that uses either feed as a source (see Configure the Firewall to Access an External Dynamic List) and exclude entries from the list as needed.

Related Documentation