Policy Object: External Dynamic Lists
Focus
Focus
Network Security

Policy Object: External Dynamic Lists

Table of Contents

Policy Object: External Dynamic Lists

Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
An external dynamic list is an address object based on an imported list of IP addresses, URLs, domain names, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that you can use in security rules to block or allow traffic. This list must be a text file saved to a web server that is accessible. By default, the management (MGT) interface is used to retrieve this list.
With an active Threat Prevention license, Palo Alto Networks provides multiple built-in dynamic IP lists that you can use to block malicious hosts. We update the lists daily based on our latest threat research.
You can use an IP address list as an address object in the source and destination of your security rules; you can use a URL List in a URL Filtering profile or as a match criteria in Security rules; and you can use a domain list (Anti-Spyware Profile) as a sinkhole for specified domain names.
You can use up to 30 external dynamic lists with unique sources across all Security rules. The maximum number of entries that are supported for each list type varies based on the model (refer to the different limits for each external dynamic list type). List entries count toward the maximum limit only if the external dynamic list is used in a security rule. If you exceed the maximum number of entries that are supported, a System log is generated and skips the entries that exceed the limit.
The external dynamic lists are shown in the order they are evaluated from top to bottom. Use the directional controls at the bottom of the page to change the list order. This enables you to reorder the lists to make sure that the most important entries in an external dynamic list are committed before you reach capacity limits.
  • You can't change the external dynamic list order when lists are grouped by type.
  • You can't delete, clone, or edit the settings of the Palo Alto Networks malicious IP address feeds.
To configure this and any other Object settings, go to:
  • ManageConfigurationNGFW and Prisma AccessObjects on Cloud Managed deployments, and select the object you want to configure.
  • Objects on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.

External Dynamic Lists Fields

The following table lists the fields to be configured when adding a new External Dynamic List. Become familiar with these settings before you Configure Your Environment to Access an External Dynamic List:
External Dynamic List Settings
Description
Name
Enter a name to identify the external dynamic list (up to 32 characters). This name identifies the list for security rule enforcement.
Shared
(Multiple virtual systems (multi-vsys) and Panorama only)
Enable this option if you want the external dynamic list to be available to:
  • Every virtual system (vsys) on a multi-vsys.
    If you disable (clear) this option, then the external dynamic list is available only to the Virtual System you select.
  • Every device group on Panorama.
    If you disable (clear) this option, the external dynamic list is available only to the Device Group you select.
Disable override (Panorama only)
Enable this option to prevent administrators from overriding the settings of this external dynamic list object in device groups that inherit the object. This option is disabled (cleared) by default, which means administrators can override the settings for any device group that inherits the object.
Test Source URL (PAN-OS only)
Test Source URL to verify that the server that hosts the external dynamic list is reachable.
This test does not check whether the server authenticates successfully.
Create List Tab
Type
You cannot mix IP addresses, URLs, and domain names in a single list. Each list must include entries of only one type.
Select from the following types of external dynamic lists:
  • Predefined IP List—Use a list that Palo Alto Networks identifies as bulletproof IP addresses, known malicious IP addresses, or high risk IP addresses as a source of list entries (requires an active Threat Prevention license).
  • Predefined URL List—Use a list of domains that Palo Alto Networks identifies as trusted to exclude these domains from Authentication policy.
  • IP List (default)—Each list can include IPv4 or IPv6 addresses, address ranges, and subnets. The list must contain only one IP address, range, or subnet per line. For example:
    192.168.80.150/32 
    2001:db8:123:1::1 or 2001:db8:123:1::/64 
    192.168.80.0/24 
    2001:db8:123:1::1 - 2001:db8:123:1::22 
    In the example above, the first line indicates all addresses from 192.168.80.0 through 192.168.80.255. A subnet or an IP address range, such as 92.168.20.0/24 or 192.168.20.40 – 192.168.20.50, counts as one IP address entry and not as multiple IP addresses.
  • Domain List—Each list can contain only one domain name entry per line. For example:
    www.p301srv03.paloalonetworks.com 
    ftp.example.co.uk 
    test.domain.net 
    For the list of domains included in the external dynamic list, a set of custom signatures of the spyware type with medium severity is created so that you can use the sinkhole action for a custom list of domains.
  • URL List—Each list can have only one URL entry per line. For example:
    financialtimes.co.in 
    www.wallaby.au/joey 
    www.exyang.com/auto-tutorials/How-to-enter-Data-for-Success.aspx 
    *.example.com/* 
    For each URL list, the default action is set to Allow.
Type (cont)
  • Subscriber Identity List—Each list contains subscriber IDs for a 3G, 4G, or 5G network. In the Source field, enter a URL from where the list can be accessed.
  • Equipment Identity List—Each list contains equipment IDs for a 3G, 4G, or 5G network. In the Source field, enter a URL from where the list can be accessed.
    Determine which model to purchase based on the total number of 3G, 4G, and 5G network identifiers you need your dynamic external dynamic list and static entries to support.
Description
Enter a description for the external dynamic list (up to 255 characters).
Source
  • If the external dynamic list is a Predefined IP List, select Palo Alto Networks - Bulletproof IP addresses, Palo Alto Networks - High risk IP addresses, or Palo Alto Networks - Known malicious IP addresses as the list source.
  • If the external dynamic list is a Predefined URL List, the default setting is panw-auth-portal-exclude-list.
  • If the external dynamic list is an IP List, a Domain List, or a URL List, enter an HTTP or HTTPS URL path that contains the text file (for example, http://192.0.2.20/myfile.txt).
  • If the external dynamic list is a Domain List, you can Automatically expand to include subdomains. This option enables the PAN-OS® software to evaluate all lower-level components of the domain names listed in the external dynamic list file. This option is disabled by default.
  • If the external dynamic list is a Subscriber Identity List or Equipment Identity List, enter a URL path that contains the list.
If your external dynamic list contains subdomains, these expanded entries count towards your appliance model capacity count. You can disable this feature if you want to manually define subdomains. However, subdomains that are not explicitly defined in the list are not evaluated by policy rules.
Certificate Profile
(IP List, Domain List, or URL List only)
If the external dynamic list has an HTTPS URL, select an existing certificate profile or create a new Certificate Profile for authenticating the web server that hosts the list.
Default: None (Disable Cert profile)
To maximize the number of external dynamic lists that you can use to enforce policy, use the same certificate profile to authenticate external dynamic lists that use the same source URL so that the lists count as only one external dynamic list. External dynamic lists from the same source URL that use different certificate profiles are counted as unique external dynamic lists.
Client Authentication
Enable this option (disabled by default) to add a username and password that will be used when accessing an external dynamic list source that requires basic HTTP authentication. This setting is available only when the external dynamic list has an HTTPS URL.
  • Username—Enter a valid username to access the list.
  • Password/Confirm Password—Enter and confirm the password for the username.
Check for updates
Specify the frequency at which the list from the web server is retrieved. You can set the interval to every Every Five Minutes (default), Hourly, Daily, Weekly, or Monthly, at which the list is retrieved. The interval is relative to the last commit. So, for the five-minute interval, the commit occurs in 5 minutes if the last commit was an hour ago. The commit updates all security rules that reference the list so that the security rules are successfully enforced.
You do not have to configure a frequency for a predefined IP list because content updates are dynamically received with an active Threat Prevention license.
List Entries and Exceptions Tab
List Entries
Displays the entries in the external dynamic list.
  • Add an entry as a list exception—Select up to 100 entries and Submit.
  • View an AutoFocus threat intelligence summary for an item—Hover over an entry and select AutoFocus from the drop-down. You must have an AutoFocus™ license and enable AutoFocus threat intelligence to view an item summary (select DeviceSetupManagement and edit the AutoFocus settings).
  • Check if an IP address, domain, or URL is in the external dynamic list—Enter a value in the filter field and Apply Filter. Clear Filter ( [X] ) to go back to viewing the complete list.
Manual Exceptions
Displays exceptions to the external dynamic list.
  • Edit an exception—Select an exception and make your changes.
  • Manually enter an exceptionAdd a new exception manually.
  • Remove an exception from the Manual Exceptions list—Select and Delete an exception.
  • Check if an IP address, domain, or URL is in the Manual Exceptions list—Enter a value in the filter field and Apply Filter. Clear Filter ( [X] ) to go back to viewing the complete list. You cannot save your changes to the external dynamic list if you have duplicate entries in the Manual Exceptions list.