Block or allow traffic based on IP addresses
or URLs in an external dynamic list, or use a dynamic domain list
with a DNS sinkhole to prevent access to malicious domains. Refer
to the table below for the ways you can use external dynamic lists
to enforce policy on the firewall.
To verify the policy rule that matches a flow, select
Device
Troubleshooting
,
and execute a Security Policy Match test:
Tips for enforcing policy on the firewall with
external dynamic lists:
When viewing external dynamic
lists on the firewall (
Objects
External Dynamic Lists
), click
List
Capacities
to compare how many IP addresses, domains,
and URLs are currently used in policy with the total number of entries
that the firewall supports for each list type.
Use
Global Find to Search the Firewall or Panorama Management Server for
a domain, IP address, or URL that belongs to one or more external dynamic
lists is used in policy. This is useful for determining which external
dynamic list (referenced in a Security policy rule) is causing the
firewall to block or allow a certain domain, IP address, or URL.
Use the directional controls at the bottom of the page to
change the evaluation order of EDLs. This allows you to or order
the lists to make sure the most important entries in an EDL are
committed before capacity limits are reached.