PAN-OS 8.0: IP Block List Feeds
Resolution
This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.
Just when you thought External Block Lists (formerly Dynamic Block Lists) couldn't get much better, PAN-OS 8.0 takes it a step further. IP Block List Feeds, available in PAN-OS 8.0, provide admins with an enhancement to the External Dynamic Lists feature to further reduce the attack surface.
- Palo Alto Networks will provide two lists of IP addresses to customers delivered as content to be used in External Dynamic Lists based on information from our threat intelligence.
- Known malicious IP addresses:This list includes malicious IP addresses that are currently used almost exclusively by malicious actors for malware distribution, command-and-control, or for launching various attacks. This list has been verified by our threat research team to be malicious.
- Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations; howeve,r Palo Alto Networks does not have direct evidence of maliciousness.
Platform support
- This feature will be supported on M-100, M-500, VM Panorama, and PAN-OS devices
Threat License
- An Active Threat Protection License is required on the Palo Alto Networks firewall for the lists to be made available/visible.
List Capacities
External Dynamic Lists now include an option to 'List Capacities.' This provides a visual queue that includes Total Device Capacity as well as how many objects are currently utilized/active within a Security Policy. If a list is not in-use (unless Predefined), the objects referenced on a particular list will not be tallied. A Predefined IP List however (retrieved via AV updates), will always be counted as an active object, whether applied to a Security Policy or not.
Configuration
The IP Block List Feed feature is enabled by-default from the Objects Tab>External Dynamic Lists, following upgrade to PAN-OS 8.0, along with an active Threat Prevention License + Supported AV Content.
When options are visible, they can be selected as Source or Destination Addresses within Security Policies, i.e.:
List Entries and Exceptions
Though the Predefined lists are Read Only, users can manually create an EDL (selecting a Predefined List).
Creating a list manually also allows the user (whether selecting Predefined or not), to define (IP, URL or Domain) exceptions.
The feature is also available from the Panorama Templates (Objects), which also requires a valid Threat Prevention License, along with supported AV content.
From CLI
7.x.x:
# set shared external-list test-name type
domain Domain List
ip IP List
url URL List
8.0:
# set shared external-list test-name type
> domain Domain List
> ip IP List
> predefined-ip Predefined IP List
> url URL List
<Enter> Finish input
# set shared external-list test-name type predefined-ip
+ description description
+ url url
> exception-list Provide exception entries
<Enter> Finish input
7.x.x:
> request system external-list
> refresh refresh external-lists
> show Print IPs in an external list
> url-test test accessibility for url
8.0:
> request system external-list
> global-find Returns EDL object
> list-capacities List Capacities of IP, Domain and URL
> refresh refresh external-lists
> show Print IPs/Domains/URLs in an external list
> url-test test accessibility for url
The 'global find' command performs a global search on all active EDL objects. An active object would be associated with a list applied to a Security Policy (though Predefined Lists are searchable whether utilized or not).
> request system external-list global-find string 175.41.29.179
/config/predefined/ip-block-list/entry[@name='panw-highrisk-ip-list']
> request system external-list global-find string 1.1.1.1
/config/shared/external-list/entry[@name='IP List']
Enhancements have been made to the external 'list show' commands as well, which have extended to Predefined IP Lists, i.e.:
> request system external-list show type
> domain Domain list type
> ip IP list type
> predefined-ip Predefined IP List
> url URL list type
> request system external-list show type predefined-ip find 64.56.64.13 name panw-highrisk-ip-list
64.56.64.13
'Global find' also as a convenient GUI-based option as well. This command isn’t specific to EDL and a search can be initiated from any tab. This example shows a use-case relevant for EDL, with results/function mirroring the 'show type' CLI example in the previous slide.
Other useful commands
> request system external-list show type
> domain Domain list type
> ip IP list type
> predefined-ip Predefined IP List
> url URL list type
> request system external-list show type predefined-ip name
panw-highrisk-ip-list panw-highrisk-ip-list
panw-known-ip-list panw-known-ip-list
> request system external-list show type predefined-ip name panw-highrisk-ip-list
predefined/panw-highrisk-ip-list:
Total valid entries : 5619
64.56.64.13
194.94.127.98
103.4.224.31
> request system external-list refresh type
> domain Domain list type
> ip IP list type
> url URL list type