Network Security
Policy Object: External Dynamic Lists
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Policy Object: External Dynamic Lists
An external dynamic list is an address object based on an imported
list of IP addresses, URLs, domain names, International Mobile Equipment
Identities (IMEIs), or International Mobile Subscriber Identities
(IMSIs) that you can use in security rules to block or allow traffic.
This list must be a text file saved to a web server that is accessible.
By default, the management (MGT) interface is used to retrieve this
list.
With an active Threat Prevention license, Palo Alto Networks
provides multiple built-in dynamic IP lists that you can use to
block malicious hosts. We update the lists daily based on our latest
threat research.
You can use an IP address list as an address object in the source
and destination of your security rules; you can use a URL List in
a URL Filtering profile or as a match criteria in Security rules; and you can use a domain list (Anti-Spyware Profile) as a
sinkhole for specified domain names.
You can use up to 30 external dynamic lists with unique sources
across all Security rules. The maximum number of entries
that are supported for each list type varies based on the model
(refer to the different limits for each external dynamic list type).
List entries count toward the maximum limit only if the external
dynamic list is used in a security rule. If you exceed the maximum
number of entries that are supported, a System log is generated
and skips the entries that exceed the limit.
The external dynamic lists are shown in the order they are evaluated
from top to bottom. Use the directional controls at the bottom of
the page to change the list order. This enables you to reorder the
lists to make sure that the most important entries in an external
dynamic list are committed before you reach capacity limits.
- You can't change the external dynamic list order when lists are grouped by type.
- You can't delete, clone, or edit the settings of the Palo Alto Networks malicious IP address feeds.
To configure this and any other Object settings, go to:
- ManageConfigurationNGFW and Prisma AccessObjects on Cloud Managed deployments, and select the object you want to configure.
- Objects on PAN-OS and Panorama Managed deployments, and select the object you want to configure from the panel on the left.
External Dynamic Lists Fields
The following table lists the fields to be configured when adding a new
External Dynamic List. Become familiar with these settings before you Configure Your Environment to Access an External
Dynamic List:
External Dynamic List Settings
|
Description
|
---|---|
Name
|
Enter a name to identify the external dynamic list (up to 32
characters). This name identifies the list for security rule
enforcement.
|
Shared (Multiple virtual systems
(multi-vsys) and Panorama only) |
Enable this option if you want the external dynamic list to be
available to:
|
Disable override (Panorama only)
|
Enable this option to prevent administrators from overriding the
settings of this external dynamic list object in device groups
that inherit the object. This option is disabled (cleared) by
default, which means administrators can override the settings
for any device group that inherits the object.
|
Test Source URL (PAN-OS only)
|
Test Source URL to verify that the server
that hosts the external dynamic list is reachable.
This test does not check whether the server authenticates
successfully.
|
Create List Tab | |
Type
You cannot mix IP addresses, URLs, and domain names in a
single list. Each list must include entries of only one
type.
|
Select from the following types of external dynamic lists:
|
Type (cont)
|
|
Description
|
Enter a description for the external dynamic list (up to 255
characters).
|
Source
|
If your external dynamic list contains
subdomains, these expanded entries count towards your appliance
model capacity count. You can disable this feature if you want
to manually define subdomains. However, subdomains that are not
explicitly defined in the list are not evaluated by policy
rules. |
Certificate Profile (IP List, Domain List,
or URL List only) |
If the external dynamic list has an HTTPS URL, select an existing
certificate profile or create a new Certificate
Profile for authenticating the web server that
hosts the list.
Default: None (Disable Cert profile)
To maximize the number of external dynamic lists that you can
use to enforce policy, use the same certificate profile to
authenticate external dynamic lists that use the same source
URL so that the lists count as only one external dynamic
list. External dynamic lists from the same source URL that
use different certificate profiles are counted as unique
external dynamic lists.
|
Client Authentication
|
Enable this option (disabled by default) to add a username and
password that will be used when accessing an external dynamic
list source that requires basic HTTP authentication. This
setting is available only when the external dynamic list has an
HTTPS URL.
|
Check for updates
|
Specify the frequency at which the list from the web server is
retrieved. You can set the interval to every Every
Five Minutes (default),
Hourly, Daily,
Weekly, or
Monthly, at which the list is
retrieved. The interval is relative to the last commit. So, for
the five-minute interval, the commit occurs in 5 minutes if the
last commit was an hour ago. The commit updates all security rules
that reference the list so that the security rules are
successfully enforced.
You do not have to configure a frequency for a predefined IP
list because content updates are dynamically received with
an active Threat Prevention license.
|
List Entries and Exceptions Tab | |
List Entries
|
Displays the entries in the external dynamic list.
|
Manual Exceptions
|
Displays exceptions to the external dynamic list.
|