Block or allow traffic based on IP addresses
or URLs in an external dynamic list, or use a dynamic domain list
with a DNS sinkhole to prevent access to malicious domains. Refer
to the table below for the ways you can use external dynamic lists
to enforce policy on the firewall.
To verify the policy rule that matches a flow, select
Device
Troubleshooting
,
and execute a Security Policy Match test:
Tips for enforcing policy on the firewall with
external dynamic lists:
When viewing external dynamic
lists on the firewall (
Objects
External Dynamic Lists
), click
List
Capacities
to compare how many IP addresses, domains,
and URLs are currently used in policy with the total number of entries
that the firewall supports for each list type.
Use Global Find to Search the Firewall
or Panorama Management Server for an IP address
that belongs to one or more external dynamic lists used in
the policy. This is useful for determining which external
dynamic list (referenced in a Security policy rule) is
causing the firewall to block or allow a certain IP
address.
Use the directional controls at the bottom of the page to
change the evaluation order of EDLs. This allows you to or order
the lists to make sure the most important entries in an EDL are
committed before capacity limits are reached.