Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile

Nick_Davis1639 — Tue, 16 May 2023 16:45:42 GMT

Hi All,

I have security profiles on my main egress firewall rules, and the URL filtering is blocking anything malware, high-risk etc. I have some custom reports setup that report on any blocks that take place as a result of this profile.

I am reading you can also setup firewall rules to block inbound/outbound traffic using sources and destinations that are External Dynamic Lists of known malicious IP addresses, high-risk IP addresses, bulletproof IP addresses etc. (https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-1-create-rules-based-on-trusted-threat-intelligence-sources)

Why would I use these rules with EDL's vs URL filtering security profile? Or should both be used for best protection? Am I correct in thinking that the EDL's are a protection at a layer 3 level, and the URL filtering is more of a layer 7 protection?

Re: Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile

TomYoung — Wed, 17 May 2023 23:14:18 GMT

Hi @Nick_Davis1639 ,

That is 100% correct. The built-in EDLs are lists of IP addresses (layer 3). You can view the entries (and create exceptions) under Objects > External Dynamic Lists > click on EDL > List Entries and Exceptions.

The URL categories are URLs. They work at layer 7, and only work with web-browsing and ssl. The EDLs will block all applications.

The BPA recommends implementing both.

Thanks,

Tom

topic Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile in Next-Generation Firewall Discussions

Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile

Re: Threat Intelligence External Dynamic Lists vs URL Filtering Security Profile