Palo Alto Networks Knowledgebase: PAN-OS 8.0: IP Block List Feeds

PAN-OS 8.0: IP Block List Feeds

19691
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:12 PM
Resolution

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

 

 

Just when you thought External Block Lists (formerly Dynamic Block Lists) couldn't get much better, PAN-OS 8.0 takes it a step further. IP Block List Feeds, available in PAN-OS 8.0, provide admins with an enhancement to the External Dynamic Lists  feature to further reduce the attack surface.

  • Palo Alto Networks will provide two lists of IP addresses to customers delivered as content to be used in External Dynamic Lists based on information from our threat intelligence.
  • Known malicious IP addresses:This list includes malicious IP addresses that are currently used almost exclusively by malicious actors for malware distribution, command-and-control, or for launching various attacks. This list has been verified by our threat research team to be malicious.
  • Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations; howeve,r Palo Alto Networks does not have direct evidence of maliciousness.

Platform support

  • This feature will be supported on M-100, M-500, VM Panorama, and PAN-OS devices

Threat License

  • An Active Threat Protection License is required on the Palo Alto Networks firewall for the lists to be made available/visible.

 

List Capacities

External Dynamic Lists now include an option to 'List Capacities.' This provides a visual queue that includes Total Device Capacity as well as how many objects are currently utilized/active within a Security Policy. If a list is not in-use (unless Predefined), the objects referenced on a particular list will not be tallied. A Predefined IP List however (retrieved via AV updates), will always be counted as an active object, whether applied to a Security Policy or not.blocklist1.png

 

 

Configuration

 The IP Block List Feed feature is enabled by-default from the Objects Tab>External Dynamic Lists, following upgrade to PAN-OS 8.0, along with an active Threat Prevention License + Supported AV Content.

blocklist2.png

 

When options are visible, they can be selected as Source or Destination Addresses within Security Policies, i.e.:

blocklist3.png

 

List Entries and Exceptions

Though the Predefined lists are Read Only, users can manually create an EDL (selecting a Predefined List).

blocklist4.png

 

Creating a list manually also allows the user (whether selecting Predefined or not), to define (IP, URL or Domain) exceptions.blocklist5.png

 

The feature is also available from the Panorama Templates (Objects), which also requires a valid Threat Prevention License, along with supported AV content.

blocklist6.png

 

From CLI

 

7.x.x:

# set shared external-list test-name type
  domain   Domain List
  ip       IP List
  url      URL List

8.0:

# set shared external-list test-name type
> domain          Domain List
> ip              IP List
> predefined-ip   Predefined IP List
> url             URL List
  <Enter>         Finish input

# set shared external-list test-name type predefined-ip
+ description      description
+ url              url
> exception-list   Provide exception entries
  <Enter>          Finish input

 

7.x.x:

> request system external-list
> refresh    refresh external-lists
> show       Print IPs in an external list
> url-test   test accessibility for url

8.0:

> request system external-list
> global-find       Returns EDL object
> list-capacities   List Capacities of IP, Domain and URL
> refresh           refresh external-lists
> show              Print IPs/Domains/URLs in an external list
> url-test          test accessibility for url

 

The 'global find' command performs a global search on all active EDL objects. An active object would be associated with a list applied to a Security Policy (though Predefined Lists are searchable whether utilized or not).

> request system external-list global-find string 175.41.29.179
/config/predefined/ip-block-list/entry[@name='panw-highrisk-ip-list']
> request system external-list global-find string 1.1.1.1
/config/shared/external-list/entry[@name='IP List']

 

Enhancements have been made to the external 'list show' commands as well, which have extended to Predefined IP Lists, i.e.:

> request system external-list show type
> domain          Domain list type
> ip              IP list type
> predefined-ip   Predefined IP List
> url             URL list type
> request system external-list show type predefined-ip find 64.56.64.13 name panw-highrisk-ip-list

64.56.64.13

 

'Global find' also as a convenient GUI-based option as well. This command isn’t specific to EDL and a search can be initiated from any tab. This example shows a use-case relevant for EDL, with results/function mirroring the 'show type' CLI example in the previous slide.

blocklist7.png

 

Other useful commands

 

> request system external-list show type
> domain          Domain list type
> ip              IP list type
> predefined-ip   Predefined IP List
> url             URL list type
> request system external-list show type predefined-ip name
 
panw-highrisk-ip-list   panw-highrisk-ip-list
  panw-known-ip-list      panw-known-ip-list
> request system external-list show type predefined-ip name panw-highrisk-ip-list
predefined/panw-highrisk-ip-list:
        Total valid entries   : 5619
                64.56.64.13
                194.94.127.98
                103.4.224.31
> request system external-list refresh type
> domain   Domain list type
> ip       IP list type
> url      URL list type

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRvCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language