What Happens When the Dynamic Block List Contains Incorrectly Formatted Lines?
Resolution
The Palo Alto Networks firewall will ignore any incorrectly formatted lines, and will continue to process the list.
Details
The example Dynamic Block List (also referred to as, External Block List) below contains only two valid IPs/Subnets (2.2.2.0/24 and 3.3.3.0/24). The other lines are incorrectly formatted. The Palo Alto Networks firewall will ignore the invalid lines and only process the valid ones.
2.2.2.0/24
abcdefg
;
5.5/24
#
3.3.3.0/24
Verification
Go to Object > Dynamic Block Lists and create the block list:
Configure the block list in a policy under the Destination field. The example policy below is named, TEST_EBL:
The following command shows the block list, which includes the incorrect lines as well.
> request system external-list show name EBL1
vsys1/EBL1:
Next update at: Fri Jul 4 22:00:11 2014
IPs:
2.2.2.0/24
abcdefg
;
5.5/24
#
3.3.3.0/24
The following command shows the policy output, which only accept legal IPs. Note that only 2.2.2.0/24 and 3.3.3.0/24 appear:
> show running security-policy
TEST_EBL {
from any;
source any;
source-region none;
to any;
destination [ 2.2.2.0/24 3.3.3.0/24 ];
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
terminal yes;
}
Note: Viewing the output of show session id <id> provides further verification.
Send a test ping packet through the firewall. Then, observe the session:
> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
12777 ping ACTIVE FLOW NS 192.168.154.201[512]/trust-L3/1 (10.129.17.154[512])
vsys1 2.2.2.2[46874]/untrust-L3 (2.2.2.2[46874])
> show session id 12777
Session 12777
c2s flow:
source: 192.168.154.201 [trust-L3]
dst: 2.2.2.2
proto: 1
sport: 512 dport: 46874
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 2.2.2.2 [untrust-L3]
dst: 10.129.17.154
proto: 1
sport: 46874 dport: 512
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Fri Jul 4 21:50:24 2014
timeout : 6 sec
total byte count(c2s) : 74
total byte count(s2c) : 0
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 0
vsys : vsys1
application : ping
rule : TEST_EBL
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NAT-to-untrust(vsys1)
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/3
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : Aged out
> show session all
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
12783 ping ACTIVE FLOW NS 192.168.154.201[512]/trust-L3/1 (10.129.17.154[512])
vsys1 3.3.3.3[47386]/untrust-L3 (3.3.3.3[47386])
> show session id 12783
Session 12783
c2s flow:
source: 192.168.154.201 [trust-L3]
dst: 3.3.3.3
proto: 1
sport: 512 dport: 47386
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: 3.3.3.3 [untrust-L3]
dst: 10.129.17.154
proto: 1
sport: 47386 dport: 512
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Fri Jul 4 21:50:52 2014
timeout : 6 sec
total byte count(c2s) : 74
total byte count(s2c) : 0
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 0
vsys : vsys1
application : ping
rule : TEST_EBL
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : NAT-to-untrust(vsys1)
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/3
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : Aged out
Allow-to-Untrust {
from [ trust-L3 DMZ-L3 ];
source any;
source-region none;
to untrust-L3;
destination any;
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
terminal yes;
}
See Also
Working with External Block List (EBL) Formats and Limitations
owner: hshah