Learn how to block or allow traffic based on IP addresses
or URLs in an external dynamic list, or use a dynamic domain list
with a DNS sinkhole to prevent access to malicious domains.
Block or allow traffic based on IP addresses
or URLs in an external dynamic list, or use a dynamic domain list
with a DNS sinkhole to prevent access to malicious domains.
Tips for enforcing policy on the firewall with
external dynamic lists:
When viewing external dynamic
lists on the firewall (
Objects
External Dynamic Lists
), click
List Capacities
to
compare how many IP addresses, domains, and URLs are currently used
in policy with the total number of entries that the firewall supports
for each list type.
Use
Global Find to Search the Firewall or Panorama Management Server for
a domain, IP address, or URL that belongs to one or more external
dynamic lists is used in policy. This is useful for determining which
external dynamic list (referenced in a Security policy rule) is
causing the firewall to block or allow a certain domain, IP address,
or URL.
Use the directional controls at the bottom of the page to
change the evaluation order of EDLs. This allows you to or order
the lists to make sure the most important entries in an EDL are
committed before capacity limits are reached.
To verify the policy rule that matches a flow, select
Device
Troubleshooting
,
and execute a Security Policy Match test:
Use a Predefined URL External Dynamic List to exclude
benign domains that applications use for background traffic from
Authentication policy.
When you select the
panw-auth-portal-exclude-list
EDL
type, you can easily exclude from Authentication policy enforcement
the domains that many applications use for background traffic, such
as updates and other trusted services. This ensures that the firewall
does not block the necessary traffic for these services and application
maintenance is not interrupted.
Select
Policies
Authentication
.
On the
Service/URL Category
tab,
select the Predefined URL EDL as the
URL Category
.
On the
Actions
tab, select
default-no-captive-portal
as
the
Authentication Enforcement
.
Click
OK
.
Move
the rule to the top so
that it is the first rule in the policy.