: Objects > External Dynamic Lists
Focus
Focus

Objects > External Dynamic Lists

Table of Contents
End-of-Life (EoL)

Objects > External Dynamic Lists

An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names that you can use in policy rules to block or allow traffic. This list must be a text file saved to a web server that is accessible by the firewall. The firewall uses the management (MGT) interface by default to retrieve this list.
With an active Threat Prevention license, Palo Alto Networks® provides multiple built-in dynamic IP lists that you can use to block malicious hosts. We update the lists daily based on our latest threat research.
You can use an IP address list as an address object in the source and destination of your policy rules; you can use a URL list in a URL Filtering profile (Objects > Security Profiles > URL Filtering) or as match criteria in Security policy rules; and you can use a domain list in Objects > Security Profiles > Anti-Spyware Profile for sinkholing specified domain names.
On each firewall model, you can use up to 30 external dynamic lists with unique sources across all Security policy rules. The maximum number of entries that the firewall supports for each list type varies based on the firewall model (view the firewall limits for each external dynamic list type). List entries count toward the maximum only if the external dynamic list is used in policy. If you exceed the maximum number of entries the model supports, the firewall generates a System log and skips the entries that exceed the limit. To check the number of IP addresses, domains, and URLs currently used in policy and the total number supported on the firewall, click List Capacities (firewall only).
The external dynamic lists display in evaluation order, from top to bottom. Use the directional controls (bottom of the page) to change the order of the lists. You can place the most important lists at the top to ensure they are committed before you reach capacity limits.
You cannot change the order of the lists when Group By Type is enabled.
To retrieve the latest version of an external dynamic list from the server that hosts it, select the external dynamic list and click Import Now.
You cannot delete, clone, or edit the settings of the Palo Alto Networks malicious IP address feeds.
Add a new external dynamic list and configure the settings in the table below.
External Dynamic List Settings
Description
Name
Enter a name to identify the external dynamic list (up to 32 characters). This name identifies the list when you use the list to enforce policy.
Shared
Select this option if you want the external dynamic list to be available to:
  • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the external dynamic list will be available only to the Virtual System selected in the Objects tab.
  • Every device group on Panorama. If you clear this selection, the external dynamic list will be available only to the Device Group selected in the Objects tab.
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this external dynamic list object in device groups that inherit the object. This option is disabled (cleared) by default, which means administrators can override the settings for any device group that inherits the object.
Test Source URL (Firewall only)
Click to verify that the firewall can connect to the server that hosts the external dynamic list.
This test does not check whether the server authenticates successfully.
Create List Tab
Type
You cannot mix IP addresses, URLs, and domain names in a single list. Each list must include entries of only one type.
Select from the following types of external dynamic lists:
  • Predefined IP List—Lists of this type use a Palo Alto Networks malicious or high-risk IP address feed as a source of list entries (active Threat Prevention license required).
  • IP List—Each list can include IP ranges and IP subnets in the IPv4 and IPv6 address space. The list must contain only one IP address, range, or subnet per line. Example:
    192.168.80.150/32 
    2001:db8:123:1::1 or 2001:db8:123:1::/64 
    192.168.80.0/24 (this indicates all addresses from 192.168.80.0 through 192.168.80.255) 
    2001:db8:123:1::1 - 2001:db8:123:1::22 
    A subnet or an IP address range, such as 92.168.20.0/24 or 192.168.20.40-192.168.20.50, counts as one IP address entry and not as multiple IP addresses.
  • Domain List—Each list can have only one domain name entry per line. Example:
    www.p301srv03.paloalonetworks.com 
    ftp.example.co.uk 
    test.domain.net 
    For the list of domains included in the external dynamic list, the firewall creates a set of custom signatures of type spyware and medium severity so that you can use the sinkhole action for a custom list of domains.
Description
Enter a description for the external dynamic list (up to 255 characters).
Source
Enter an HTTP or HTTPS URL path that contains the text file (for example, http://192.0.2.20/myfile.txt).
  • If the external dynamic list is a Predefined IP List, select Palo Alto Networks - High risk IP addresses or Palo Alto Networks - Known malicious IP addresses as the list source.
  • If the external dynamic list is a Domain List, you can Automatically expand to include subdomains. This option enables the PAN-OS® software to evaluate all lower-level components of the domain names listed in the external dynamic list file. This option is disabled by default.
If your external dynamic list contains subdomains, these expanded entries count towards your appliance model capacity count. To manually define subdomains, you can disable this feature. However, if you disable this feature, subdomains will not be evaluated by policy rules unless you explicitly define them in the list.
Certificate Profile
If the external dynamic list has an HTTPS URL, select an existing certificate profile (firewall and Panorama) or create a new Certificate Profile (firewall only) for authenticating the web server that hosts the list. For more information on configuring a certificate profile, see Device > Certificate Management > Certificate Profile.
Default: None (Disable Cert profile)
To maximize the number of external dynamic lists you can use to enforce policy, use the same certificate profile to authenticate external dynamic lists from the same source URL. The lists count as only one external dynamic list. Otherwise, external dynamic lists from the same source URL that use different certificate profiles count as unique external dynamic lists.
Client Authentication
Select this option (disabled by default) to add a username and password for the firewall to use when accessing an external dynamic list source that requires basic HTTP authentication. This setting is available only when the external dynamic list has an HTTPS URL.
  • Username—Enter a valid username to access the list.
  • Password/Confirm Password—Enter and confirm the password for the username.
Check for updates
Specify the frequency at which the firewall retrieves the list from the web server. You can set the interval to Hourly (default), Every Five Minutes, Daily, Weekly, or Monthly. The firewall automatically commits changes to the configuration immediately if the last commit was not made within the past 15 minutes; if the last change was within the last 15 minutes, the commit occurs within 15 minutes of the last commit. Any policy rules that reference the list are updated.
You do not have to specify a frequency for a predefined IP list because the firewall dynamically receives content updates with an active Threat Prevention license.
List Entries and Exceptions Tab
List Entries
Displays the entries in the external dynamic list.
  • Add an entry as a list exception—Select up to 100 entries and click Submit (
    ).
  • View an AutoFocus™ threat intelligence summary for an item—Hover over an entry, click the drop-down, and click AutoFocus. You must have an AutoFocus license and enable AutoFocus threat intelligence to view an item summary (select DeviceSetupManagement and edit the AutoFocus settings).
  • Check if an IP address, domain, or URL is in the external dynamic list—Enter a value in the filter field and Apply Filter (
    ). Clear Filter ( [X] ) to return to the complete list.
Manual Exceptions
Displays exceptions to the external dynamic list.
  • Edit an exception—Click on an exception and make your changes.
  • Manually enter an exception—Add a new exception manually.
  • Remove an exception from the Manual Exceptions list—Select and Delete an exception.
  • Check if an IP address, domain, or URL is in the Manual Exceptions list—Enter a value in the filter field and Apply Filter (
    ). Clear Filter ( [X] ) to return to the complete list. If you have duplicate entries in the Manual Exceptions list, you cannot save your changes to the external dynamic list.