Objects > External Dynamic Lists
An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall. The firewall uses the management (MGT) interface by default to retrieve this list.
With an active Threat Prevention license, Palo Alto Networks® provides two Dynamic IP Lists: Palo Alto Networks - High risk IP addresses and Palo Alto Networks - Known malicious IP addresses. These feeds both contain malicious IP address entries, which you can use to block traffic from malicious hosts. The firewall receives daily updates for these feeds through antivirus content updates.
You can use an IP address list as an address object in the source and destination of your policy rules; you can use a URL List in Objects > Security Profiles > URL Filtering or as a match criteria in Security policy rules; and you can use a domain list in Objects > Security Profiles > Anti-Spyware Profile for sinkholing specified domain names.
On each firewall model, you can use up to 30 external dynamic lists with unique sources across all Security policy rules. The maximum number of entries that the firewall supports for each list type varies based on the firewall model (view the different firewall limits for each external dynamic list type). List entries only count toward the maximum limit if the external dynamic list is used in policy. If you exceed the maximum number of entries that are supported on a model, the firewall generates a System log and skips the entries that exceed the limit. To check the number of IP addresses, domains, and URLs currently used in policy and the total number supported on the firewall, click List Capacities (firewall only).
To retrieve the latest version of the external dynamic list from the server that hosts it, select an external dynamic list and click Import Now.
You cannot delete, clone, or edit the settings of the Palo Alto Networks malicious IP address feeds.
Click Add to create a new external dynamic list and configure the settings described in the table below.
External Dynamic List Settings
Enter a name to identify the external dynamic list (up to 32 characters). This name identifies the list when you use the list to enforce policy.
Select this option if you want the external dynamic list to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this external dynamic list object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Test Source URL (Firewall only)
Click to verify that the firewall can connect to the server that hosts the external dynamic list.
This test does not check whether the server authenticates successfully.
Create List Tab
You cannot mix IP addresses, URLs, and domain names in a single list. Each list must include entries of only one type.
Select from the following types of external dynamic lists:
Enter a description for the external dynamic list (up to 255 characters).
Enter an HTTP or HTTPS URL path that contains the text file. For example, http://192.0.2.20/myfile.txt.
If the external dynamic list is a Predefined IP List, select Palo Alto Networks - High risk IP addresses or Palo Alto Networks - Known malicious IP addresses as the list source.
If the external dynamic list has an HTTPS URL, select an existing certificate profile (firewall and Panorama) or create a new Certificate Profile (firewall only) for authenticating the web server that hosts the list. For more information on configuring a certificate profile, see Device > Certificate Management > Certificate Profile.
Default: None (Disable Cert profile)
To maximize the number of external dynamic lists that you can use to enforce policy, use the same certificate profile to authenticate external dynamic lists that use the same source URL so that the lists count as only one external dynamic list. External dynamic lists from the same source URL that use different certificate profiles are counted as unique external dynamic lists.
Select this option (disabled by default) to add a username and password for the firewall to use when accessing an external dynamic list source that requires basic HTTP authentication. This setting is available only when the external dynamic list has an HTTPS URL.
Specify the frequency in which the firewall retrieves the list from the web server. You can set the interval to Hourly (default) , Five Minute, Daily, Weekly, or Monthly, at which the firewall retrieves the list. The firewall automatically commits the changes to the configuration immediately if the last commit was not made within past 15 minutes; if the last change was within the last 15 minutes, the commit occurs in 15 minutes of the last commit. Any policy rules that reference the list are updated so that the firewall can successfully enforce policy.
You do not have a to configure a frequency for a predefined IP list because the firewall dynamically receives content updates with an active Threat Prevention license.
List Entries and Exceptions Tab
Displays the entries in the external dynamic list.
Displays exceptions to the external dynamic list.
Use an External Dynamic List in Policy
Use an External Dynamic List in Policy An external dynamic list (formerly called dynamic block list) is a text file that you or another source ...
View External Dynamic List Entries
View External Dynamic List Entries Before you Enforce Policy on an External Dynamic List , you can view the contents of an external dynamic list ...
Configure the Firewall to Access an External Dynamic List
Configure the Firewall to Access an External Dynamic List You must establish the connection between the firewall and the source that hosts the external dynamic ...
External Dynamic List
External Dynamic List An External Dynamic List is a text file that is hosted on an external web server so that the firewall can import ...
Enforce Policy on an External Dynamic List
Enforce Policy on an External Dynamic List Block or allow traffic based on IP addresses or URLs in an external dynamic list, or use an ...
Exclude Entries from an External Dynamic List
Exclude Entries from an External Dynamic List As you view the entries of an external dynamic list, you can exclude up to 100 entries from ...
Use an External Dynamic List in a URL Filtering Profile
Use an External Dynamic List in a URL Filtering Profile An External Dynamic List is a text file that is hosted on an external web ...
Configure DNS Sinkholing for a List of Custom Domains
Configure DNS Sinkholing for a List of Custom Domains To enable DNS Sinkholing for a custom list of domains, you must create an External Dynamic ...
External Dynamic List for URLs
External Dynamic List for URLs To protect your network from new sources of threat or malware, you can use External Dynamic Lists in URL Filtering ...