EDL (External Dynamic List) configured in security policies intermittently allowing traffic which should be blocked

EDL (External Dynamic List) configured in security policies intermittently allowing traffic which should be blocked

6218
Created On 08/21/23 08:23 AM - Last Modified 04/19/24 09:21 AM


Symptom


Security Policies specifies EDL as source for blocking inbound traffic.

Occasionally random IPs in the EDL are allowed temporary access for a random time.
 

Environment


PANOS-10.1.8-hx, PA-5260

Cause


Multiple EDL objects have been configured pointing to the same source.

For example:
EDL1 - http://10.10.10.10/block-ip-list.txt (Refresh timer: 5 min)
EDL2 - http://10.10.10.10/block-ip-list.txt (Refresh timer: 1 hr)

These EDLs are then referenced in security policies.
SecurityPolicy1:
src: EDL1
dst: 192.168.1.0/24
action: drop

SecurityPolicy2:
src: EDL2
dst: 192.168.2.0/24
action: drop

SecurityPolicy3:
src: any
dst: any
action: allow

In this scenario, there can be cases where traffic that's suppose to match SecurityPolicy1 will get matched to SecurityPolicy3 instead.

Sequence of events and explanation:
1. EDL1 gets refreshed (as per the configured refresh timer of 5 mins) but there is no change in the list so the old/cached copy is used.

2. EDL2 gets refreshed (as per the configured refresh timer of 1 hr) and during this time there is a change to the list so it gets pushed to DP.

3. As EDL2 gets pushed to DP, devsrvr thinks that EDL1 is not used so it does not get pushed to DP.

devsrv.log
2023-07-11 10:01:04.932 +1000 Warning:  pan_ebls_find_filename(pan_config_parser_ebl.c:773): ebl_filename vsys1_EDL1.ebl not found

4. After some time, EDL1 gets refreshed again and this time there is a change in the list so this gets pushed to DP.

In the time between steps 3 and 4, EDL1 will not be functional so SecurityPolicy1 will not be hit, instead traffic that's suppose to match SecurityPolicy1 will get matched to SecurityPolicy3.


 

Resolution


Do not use multiple EDL objects referencing the same source. You may use 1 EDL object and reference this in all your security policies.

This also applies when working with multi-vsys configurations. We can use 1 shared EDL object and reference this in all vsys that needs it.
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgBoCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language