How to view the EDL Palo Alto Networks - Known malicious IP Addresses, High Risk IP Addresses, Bulletproof IP Addresses, and Tor Exit IP Addresses

How to view the EDL Palo Alto Networks - Known malicious IP Addresses, High Risk IP Addresses, Bulletproof IP Addresses, and Tor Exit IP Addresses

58772
Created On 07/29/20 12:04 PM - Last Modified 11/28/23 08:40 AM


Question


How to view the EDL Palo Alto Networks - Known malicious IP Addresses, High Risk IP Addresses and Bulletproof IP and Tor Exit IP Addresses?

Environment


  • PAN-OS 8.1 and above.
  • External Dynamic List configured.

Answer


The command request system external-list show type predefined-ip name <list> can be used to view these lists. See the available EDL list below.
  • panw-highrisk-ip-list
  • panw-known-ip-list
  • panw-torexit-ip-list         (PAN-OS 9.0 and higher)
  • panw-bulletproof-ip-list  (PAN-OS 9.0 and higher)
Example below. 
>request system external-list show type predefined-ip name panw-bulletproof-ip-list
panw-bulletproof-ip-list
Total valid entries : 37
Total ignored entries : 0
Total invalid entries : 0
Total displayed entries : 37
Valid predefined-ips:
5.188.205.0-5.188.205.255
185.130.214.0-185.130.214.255

>request system external-list show type predefined-ip name panw-highrisk-ip-list
panw-highrisk-ip-list
Total valid entries : 1192
Total ignored entries : 0
Total invalid entries : 0
Total displayed entries : 100
Valid predefined-ips:
49.143.181.221
81.193.206.140

>request system external-list show type predefined-ip name panw-known-ip-list
panw-known-ip-list
Total valid entries : 2883
Total ignored entries : 0
Total invalid entries : 0
Total displayed entries : 100
Valid predefined-ips:
193.169.54.12
200.35.56.81

>request system external-list show type predefined-ip name panw-torexit-ip-list
panw-torexit-ip-list
Total valid entries     : 1226
Total ignored entries   : 0
Total invalid entries   : 0
Total displayed entries : 100
Valid predefined-ips:
5.2.67.226
5.2.69.50
5.2.70.140
5.2.70.192

The command is initially restricted to displaying 1000 entries by default. To see the complete list of entries for the corresponding predefined EDL, you can utilize the "num-records XXXX" option.
e.g

>request system external-list show type predefined-ip num-records 9999 name panw-torexit-ip-list
panw-torexit-ip-list Total valid entries     : 1226
Total ignored entries   : 0
Total invalid entries   : 0
Total displayed entries : 1226
Valid predefined-ips:
5.2.67.226
...


In the GUI, the interested IP pattern can be searched as follows.
1. Objects --> External Dynamic Lists

EDL
2. Click interested EDL "Palo Alto Networks - Known malicious IP addresses" --> "List Entries and Exceptions". It will show total count and entire entries in the list.

Total count

3. Filter specific IP. This is a simple grep like search i.e 88.93

filtered-known-malicious.png

Additional Information


To search the specific IP in the EDL, in the following example IP address pattern 1.199.4 is searched and found in EDL panw-highrisk-ip-list.
  
 >request system external-list global-find string 1.199.4
/config/predefined/ip-block-list-v2/entry[@name='panw-highrisk-ip-list']





 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V15CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language