How to view the EDL Palo Alto Networks - Known malicious IP Addresses, High Risk IP Addresses, Bulletproof IP Addresses, and Tor Exit IP Addresses
64282
Created On 07/29/20 12:04 PM - Last Modified 11/28/23 08:40 AM
Question
How to view the EDL Palo Alto Networks - Known malicious IP Addresses, High Risk IP Addresses and Bulletproof IP and Tor Exit IP Addresses?
Environment
- PAN-OS 8.1 and above.
- External Dynamic List configured.
Answer
The command request system external-list show type predefined-ip name <list> can be used to view these lists. See the available EDL list below.
- panw-highrisk-ip-list
- panw-known-ip-list
- panw-torexit-ip-list (PAN-OS 9.0 and higher)
- panw-bulletproof-ip-list (PAN-OS 9.0 and higher)
>request system external-list show type predefined-ip name panw-bulletproof-ip-list panw-bulletproof-ip-list Total valid entries : 37 Total ignored entries : 0 Total invalid entries : 0 Total displayed entries : 37 Valid predefined-ips: 5.188.205.0-5.188.205.255 185.130.214.0-185.130.214.255 >request system external-list show type predefined-ip name panw-highrisk-ip-list panw-highrisk-ip-list Total valid entries : 1192 Total ignored entries : 0 Total invalid entries : 0 Total displayed entries : 100 Valid predefined-ips: 49.143.181.221 81.193.206.140 >request system external-list show type predefined-ip name panw-known-ip-list panw-known-ip-list Total valid entries : 2883 Total ignored entries : 0 Total invalid entries : 0 Total displayed entries : 100 Valid predefined-ips: 193.169.54.12 200.35.56.81 >request system external-list show type predefined-ip name panw-torexit-ip-list panw-torexit-ip-list Total valid entries : 1226 Total ignored entries : 0 Total invalid entries : 0 Total displayed entries : 100 Valid predefined-ips: 5.2.67.226 5.2.69.50 5.2.70.140 5.2.70.192
The command is initially restricted to displaying 1000 entries by default. To see the complete list of entries for the corresponding predefined EDL, you can utilize the "num-records XXXX" option.
e.g
>request system external-list show type predefined-ip num-records 9999 name panw-torexit-ip-list panw-torexit-ip-list Total valid entries : 1226 Total ignored entries : 0 Total invalid entries : 0 Total displayed entries : 1226 Valid predefined-ips: 5.2.67.226 ... |
In the GUI, the interested IP pattern can be searched as follows.
1. Objects --> External Dynamic Lists
2. Click interested EDL "Palo Alto Networks - Known malicious IP addresses" --> "List Entries and Exceptions". It will show total count and entire entries in the list.
3. Filter specific IP. This is a simple grep like search i.e 88.93
Additional Information
To search the specific IP in the EDL, in the following example IP address pattern 1.199.4 is searched and found in EDL panw-highrisk-ip-list.
>request system external-list global-find string 1.199.4 /config/predefined/ip-block-list-v2/entry[@name='panw-highrisk-ip-list']