PAN-OS 8.0: IP Block List Feeds

101601

Created On 09/25/18 18:56 PM - Last Modified 06/13/23 05:05 AM

PAN-OS

Resolution

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

Just when you thought External Block Lists (formerly Dynamic Block Lists) couldn't get much better, PAN-OS 8.0 takes it a step further. IP Block List Feeds, available in PAN-OS 8.0, provide admins with an enhancement to the External Dynamic Lists feature to further reduce the attack surface.

Palo Alto Networks will provide two lists of IP addresses to customers delivered as content to be used in External Dynamic Lists based on information from our threat intelligence.
Known malicious IP addresses:This list includes malicious IP addresses that are currently used almost exclusively by malicious actors for malware distribution, command-and-control, or for launching various attacks. This list has been verified by our threat research team to be malicious.
Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations; howeve,r Palo Alto Networks does not have direct evidence of maliciousness.

Platform support

This feature will be supported on M-100, M-500, VM Panorama, and PAN-OS devices

Threat License

An Active Threat Protection License is required on the Palo Alto Networks firewall for the lists to be made available/visible.

List Capacities

External Dynamic Lists now include an option to 'List Capacities.' This provides a visual queue that includes Total Device Capacity as well as how many objects are currently utilized/active within a Security Policy. If a list is not in-use (unless Predefined), the objects referenced on a particular list will not be tallied. A Predefined IP List however (retrieved via AV updates), will always be counted as an active object, whether applied to a Security Policy or not.

Configuration

The IP Block List Feed feature is enabled by-default from the Objects Tab>External Dynamic Lists, following upgrade to PAN-OS 8.0, along with an active Threat Prevention License + Supported AV Content.

When options are visible, they can be selected as Source or Destination Addresses within Security Policies, i.e.:

List Entries and Exceptions

Though the Predefined lists are Read Only, users can manually create an EDL (selecting a Predefined List).

Creating a list manually also allows the user (whether selecting Predefined or not), to define (IP, URL or Domain) exceptions.

The feature is also available from the Panorama Templates (Objects), which also requires a valid Threat Prevention License, along with supported AV content.

From CLI

7.x.x:
 
 # set shared external-list test-name type
   domain   Domain List
   ip       IP List
   url      URL List
 
8.0:
 
 # set shared external-list test-name type
 > domain          Domain List
 > ip              IP List
 > predefined-ip   Predefined IP List
 > url             URL List
   <Enter>         Finish input
 
 # set shared external-list test-name type predefined-ip
 + description      description
 + url              url
 > exception-list   Provide exception entries
   <Enter>          Finish input

7.x.x:
 
 > request system external-list
 > refresh    refresh external-lists
 > show       Print IPs in an external list
 > url-test   test accessibility for url
 
 8.0:
 
 > request system external-list
 > global-find       Returns EDL object
 > list-capacities   List Capacities of IP, Domain and URL
 > refresh           refresh external-lists
 > show              Print IPs/Domains/URLs in an external list
 > url-test          test accessibility for url

The 'global find' command performs a global search on all active EDL objects. An active object would be associated with a list applied to a Security Policy (though Predefined Lists are searchable whether utilized or not).

> request system external-list global-find string 175.41.29.179
 /config/predefined/ip-block-list/entry[@name='panw-highrisk-ip-list']

> request system external-list global-find string 1.1.1.1
 /config/shared/external-list/entry[@name='IP List']

Enhancements have been made to the external 'list show' commands as well, which have extended to Predefined IP Lists, i.e.:

> request system external-list show type
 > domain          Domain list type
 > ip              IP list type
 > predefined-ip   Predefined IP List
 > url             URL list type

> request system external-list show type predefined-ip find 64.56.64.13 name panw-highrisk-ip-list
 
 64.56.64.13

'Global find' also as a convenient GUI-based option as well. This command isn’t specific to EDL and a search can be initiated from any tab. This example shows a use-case relevant for EDL, with results/function mirroring the 'show type' CLI example in the previous slide.

Other useful commands

> request system external-list show type
 > domain          Domain list type
 > ip              IP list type
 > predefined-ip   Predefined IP List
 > url             URL list type

> request system external-list show type predefined-ip name
   panw-highrisk-ip-list   panw-highrisk-ip-list
   panw-known-ip-list      panw-known-ip-list

> request system external-list show type predefined-ip name panw-highrisk-ip-list
 predefined/panw-highrisk-ip-list:
         Total valid entries   : 5619
                 64.56.64.13
                 194.94.127.98
                 103.4.224.31

> request system external-list refresh type
 > domain   Domain list type
 > ip       IP list type
 > url      URL list type