Objects > External Dynamic Lists
Table of Contents
Objects > External Dynamic Lists
An external dynamic list is
an address object based on an imported list of IP addresses, URLs,
or domain names that you can use in policy rules to block or allow
traffic. This list must be a text file saved to a web server that is
accessible by the firewall. The firewall uses the management (MGT)
interface by default to retrieve this list.
With an active Threat Prevention license, Palo Alto Networks®
provides multiple built-in dynamic IP lists that you can
use to block malicious hosts. We update the lists daily based
on our latest threat research.
You can use an IP address list as an address object in the source
and destination of your policy rules; you can use a URL list in
a URL Filtering profile (Objects
> Security Profiles > URL Filtering) or as match criteria
in Security policy rules; and you can use a domain list in Objects
> Security Profiles > Anti-Spyware Profile for sinkholing
specified domain names.
On each firewall model, you can use up to 30 external dynamic
lists with unique sources across all Security policy rules. The
maximum number of entries that the firewall supports for each list
type varies based on the firewall model (view the firewall limits
for each external dynamic list type).
List entries count toward the maximum only if the external dynamic
list is used in policy. If you exceed the maximum number of entries
the model supports, the firewall generates a System log and skips
the entries that exceed the limit. To check the number of IP addresses,
domains, and URLs currently used in policy and the total number supported
on the firewall, click List Capacities (firewall only).
The external dynamic lists display in evaluation order, from
top to bottom. Use the directional controls (bottom of the page)
to change the order of the lists. You can place the most important
lists at the top to ensure they are committed before you reach capacity
limits.
You cannot change the order of the lists when Group By
Type is enabled.
To retrieve the latest version of an external dynamic list from
the server that hosts it, select the external dynamic list and click Import Now.
You cannot delete, clone, or edit the settings of the Palo
Alto Networks malicious IP address feeds.
Add a new external dynamic list and configure
the settings in the table below.
External Dynamic List
Settings | Description |
|---|---|
Name | Enter a name to identify the external dynamic
list (up to 32 characters). This name identifies the list when you
use the list to enforce policy. |
Shared | Select this option if you want the external
dynamic list to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this external dynamic list object
in device groups that inherit the object. This option is disabled
(cleared) by default, which means administrators can override the
settings for any device group that inherits the object. |
Test Source URL (Firewall only) | Click to verify that the firewall can connect
to the server that hosts the external dynamic list. This
test does not check whether the server authenticates successfully. |
Create List Tab | |
Type You cannot mix IP addresses, URLs,
and domain names in a single list. Each list must include entries
of only one type. | Select from the following types of external
dynamic lists:
|
Description | Enter a description for the external dynamic
list (up to 255 characters). |
Source | Enter an HTTP or HTTPS URL path that contains
the text file (for example, http://192.0.2.20/myfile.txt).
If
your external dynamic list contains subdomains, these expanded entries
count towards your appliance model capacity count. To manually define
subdomains, you can disable this feature. However, if you disable
this feature, subdomains will not be evaluated by policy rules unless
you explicitly define them in the list. |
Certificate Profile | If the external dynamic list has an HTTPS
URL, select an existing certificate profile (firewall and Panorama)
or create a new Certificate Profile (firewall
only) for authenticating the web server that hosts the list.
For more information on configuring a certificate profile, see Device
> Certificate Management > Certificate Profile. Default: None
(Disable Cert profile) To
maximize the number of external dynamic lists you can use to enforce
policy, use the same certificate profile to authenticate external
dynamic lists from the same source URL. The lists count as only
one external dynamic list. Otherwise, external dynamic lists from
the same source URL that use different certificate profiles count
as unique external dynamic lists. |
Client Authentication | Select this option (disabled by default)
to add a username and password for the firewall to use when accessing
an external dynamic list source that requires basic HTTP authentication.
This setting is available only when the external dynamic list has
an HTTPS URL.
|
Check for updates | Specify the frequency at which the firewall
retrieves the list from the web server. You can set the interval
to Hourly (default), Every Five
Minutes, Daily, Weekly,
or Monthly. The firewall automatically commits
changes to the configuration immediately if the last commit was
not made within the past 15 minutes; if the last change was within
the last 15 minutes, the commit occurs within 15 minutes of the
last commit. Any policy rules that reference the list are updated. You
do not have to specify a frequency for a predefined IP list because
the firewall dynamically receives content updates with an active
Threat Prevention license. |
List Entries and Exceptions
Tab | |
List Entries | Displays the entries in the external dynamic
list.
|
Manual Exceptions | Displays exceptions to the external dynamic
list.
|
