Details
There are different ways to import a list of IP addresses to be handled by a policy on the Palo Alto Networks firewall.
Options
Use Regions or Custom Regions
Use a Pre-Defined Region, see Palo Alto Networks Pre-defined Regions , or create a Custom Region. A Custom Region contains IP addresses in the format of IP (x.x.x.x), Range (x.x.x.x-y.y.y.y) or IP/Netmask (x.x.x.x/n). If a Custom Region is used, add non-contiguous addresses manually on the Web GUI or on the CLI. A list of commands on the CLI terminal can be copied and pasted for batch processing.
> configure
# set region <RegionName>
# set region <RegionName> address <IPAddress_01>
where
<RegionName> is a string (31 characters max)
<IPAddress> is a list of values, an IP range, or ip/netmask
To delete entries use:
# delete region <MyRegion> address <IPAddress_nn>
To delete the whole Region use:
# delete region <MyRegion>
Note: Remember to commit the changes.
Use an FQDN Address Object
Associate multiple Non-Authoritative answers for your DNS 'A' record. The Palo Alto Networks firewall will only read and cache the first 10 Non-Authoritative answers. For more information, read How to Configure and Test FQDN Objects. This solution does not scale if there are more than 10 IP addresses on the list, and requires the DNS query be sourced from an interface that can reach your configured DNS server. By default the Management interface will be used for a DNS query, unless something different is specified in the Service Routes. Review DNS Service Route is Applied to All Traffic Going to DNS Server IP Address for a description of the DNS Service Route configuration and its caveats.
Use a Dynamic Block List (EBL)
This option requires hosting a text file on a web-server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets. The list must contain one IP address, range, or subnet per line. For further details read Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device.
Use a Dynamic Address Group
Using a Dynamic Address Group leverages the Palo Alto Networks API. The list of IP addresses needs to comply with XML formatting. This option is highly scalable and flexible and is recommended for a dynamic list, where changes can be fed through a third party script that will automate updates to the Dynamic Address Group. One main advantages of the Dynamic Address Group is that adding or removing IP addresses can be done on the fly, and a commit operation is not required to apply changes to an existing Dynamic Address Group. For more information, review Working with Dynamic Address Groups on the Palo Alto Networks firewall.
Use a Static Address Group
Address Objects can be created on the Web GUI and then associated to an Address Group. The task can also be batch-processed from the CLI. For further information, see: How to Add and Verify Address Objects to Address Group and Security Policy through the CLI.
> configure
# set address <AddressObject_01> ip-netmask 1.1.1.1/32
# set address <AddressObject_02> fqdn my.example.com
.
.
.
# set address <AddressObject_nn> ip-range 2.2.2.2-3.3.3.3
# set address-group <AddressGroup> static [ <AddressObject_01> <AddressObject_02> ...<AddressObject_nn> ]
Commit your changes.
Note:
<AddressObject> can have formats:
<ip-range>
<ip/netmask>
<fqdn>
To delete Address Objects, use:
# delete address <AddressObject_01> ip-netmask 1.1.1.1/32
# delete address <AddressObject_02> fqdn my.example.com
.
.
.
# delete address <AddressObject_nn> ip-range 2.2.2.2-3.3.3.3
Note: Address Objects are separate entities, and deleting a Static Address Group will not delete its referenced Address Objects.
Deassociate Address Objects with one of the following commands:
# delete address-group <AddressGroup> static <AddressObject_nn>
# delete address-group <AddressGroup> static ><AddressObject_01> <AddressObject_02> ... <AddressObject_nn> ]
The whole group can be deleted with this command:
# delete address-group <AddressGroup> static
Commit your changes.
owner: mivaldi