topic Re: External Dynamic List is not showing while creating a policy. in Next-Generation Firewall Discussions

External Dynamic List is not showing while creating a policy.

N.inMedicalSciences — Wed, 30 Oct 2024 07:17:08 GMT

I am trying to create an external dynamic list to block incoming traffic from some IPs. I have created an EDL list listening to a server on LAN to fetch the IPs. However when I am trying to create a policy the EDL option is not showing under the drop down menu. Is there any thing I am missing?

Thanks in advance!

Screenshots are attached for reference.

Re: External Dynamic List is not showing while creating a policy.

TomYoung — Wed, 30 Oct 2024 12:48:23 GMT

Hi @N.inMedicalSciences ,

Could you type in the first few letters of the EDL name to show that their are no matches in the drop down list?

Thanks,

Tom

Re: External Dynamic List is not showing while creating a policy.

N.inMedicalSciences — Tue, 03 Dec 2024 11:59:46 GMT

Clicking Test Source URL button gives URL access error.

However, the link is accessible when checking on browser:

Re: External Dynamic List is not showing while creating a policy.

reaper — Tue, 03 Dec 2024 12:19:32 GMT

this means the management interface does not have access to the URL, you may be blocking it on the firewall or on an access list on the server?

Verify your traffic logs to see if it is maybe hitting a drop rule (make sure you account for the implied drop rule, it may be getting discarded without log)

the EDL will not show up in the policy until it is populated with _something_ (else you would be building an invalid policy) so you need to create the EDL and have the firewall fetch the entries before using it in a rule

Re: External Dynamic List is not showing while creating a policy.

N.inMedicalSciences — Wed, 04 Dec 2024 05:55:58 GMT

Using the command show interface management, got Management IP address as 172.16.39.9. Then logged in as admin and was able to ping the server hosting EDL, which is running on 172.16.36.8.

Checked the traffic logs but saw no deny for 172.16.39.9.

Appreciate the help getting by the community.

Re: External Dynamic List is not showing while creating a policy.

TomYoung — Wed, 04 Dec 2024 09:47:24 GMT

Hi @N.inMedicalSciences ,

Your 1st issue was the EDL did not show up in the drop down. I saw that you had a lot of entries. The NGFW will only show a limited number of items in the drop down. I asked you to start typing in the name of the EDL so it would show up. I got no response from you. The EDL will show up in the drop down after you create it. The EDL does not need to be populated before it will show up in a policy. I have configured it many times. There are some caveats on Panorama, but you are not using Panorama. In fact, the NGFW will NOT automatically retrieve the EDL until it is used in a policy. https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/external-dynamic-lists/view-external-dynamic-list-entries ("The list might be empty if:").

Your 2nd issue is your URL access error. Unless you have a bug, the issue is that the management interface cannot open the URL as @reaper said. I am curious why you blacked out the URL from your browser image. It may be just habit. It should be 172.16.36.8, just like you said and is, in fact, clearly shown in your 1st image. The browser URL and EDL URL need to match exactly as a good test.

There is a known bug with 9.1 when using client authentication. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MUqCAM&lang=en_US

You are not using client authentication. (I also saw the bug listed for 10.1.5, which was weird.)

Here is a good document to troubleshoot further. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vx5CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Thanks,

Tom

Re: External Dynamic List is not showing while creating a policy.

A.Asimakopoulos — Mon, 07 Apr 2025 17:12:11 GMT

Hello,

I'm dealing with the same issue, have you manage to found a solution for that?

BR,

Re: External Dynamic List is not showing while creating a policy.

securehops — Tue, 08 Apr 2025 15:38:52 GMT

Have you tried checking the service route configuration and verified that it's using the management interface for all? If not, you can check to see what interface EDL is configured for

Re: External Dynamic List is not showing while creating a policy.

A.Asimakopoulos — Wed, 09 Apr 2025 09:25:05 GMT

Hi @securehops,

Thank you for your reply, management interface is used for all services. However, i manage to find a solution for my issue, the custom EDL had authentication and the credentials was cached on my browser, when i tried to visit the internal EDL from a private browser, it prompted to provide credentials. This is why it giving the error, once the web server was accessible without authentication it worked like a charm.

Cheers

Re: External Dynamic List is not showing while creating a policy.

reaper — Thu, 10 Apr 2025 10:57:04 GMT

The EDL first needs to be populated/work before it can be used in a security rule.

if you just created the EDL and it is not showing up, make sure the 'Test Source URL' doesn't give you an error. if this works and it's still not showing up as an option, try committing the config first and revisit the EDL after the commit completes to see if there are entries in the 'List Entries and Exceptions' tab. Once the tab is populated, you should be able to add the EDL to a security rule

pitfalls:

- does the EDL require authentication?

- is your management interface allowed to connect to the source URL (check security rules, use a service route if needed)