https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-block-traffic-from-a-specific-asn-using-dag/m-p/1233738#M6088 <P>I could use some assistance since AI sucks and gives you the wrong info.</P> <P>&nbsp;</P> <P>Here's what I would like to do, we already geoblock but I need to block malicious traffic (multible IP ranges) that's associated with a specific ASN.&nbsp; I've tried creating a dynamic address group with the following match criteria:&nbsp;&nbsp;'ip.src.asnum AS14956'.&nbsp; I initially tried it without the AS in front of the number, but when I check, there are not IP ranges in the group.&nbsp; When I googled it initially, AI said to use&nbsp;<SPAN>ip.geoip.asnum but when it errored out and I google some more found that it was replaced with ip.src.asnum which is what I'm using as the match criteria.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Since documentation is not very good for what match criteria can be used, can someone please help me with this because I would also like to block all the scans from "shadowservers" and they have a ton of IP's as well.</SPAN></P> Thu, 10 Jul 2025 15:05:33 GMT Layne-Corbett 2025-07-10T15:05:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-block-traffic-from-a-specific-asn-using-dag/m-p/1233738#M6088 <P>I could use some assistance since AI sucks and gives you the wrong info.</P> <P>&nbsp;</P> <P>Here's what I would like to do, we already geoblock but I need to block malicious traffic (multible IP ranges) that's associated with a specific ASN.&nbsp; I've tried creating a dynamic address group with the following match criteria:&nbsp;&nbsp;'ip.src.asnum AS14956'.&nbsp; I initially tried it without the AS in front of the number, but when I check, there are not IP ranges in the group.&nbsp; When I googled it initially, AI said to use&nbsp;<SPAN>ip.geoip.asnum but when it errored out and I google some more found that it was replaced with ip.src.asnum which is what I'm using as the match criteria.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Since documentation is not very good for what match criteria can be used, can someone please help me with this because I would also like to block all the scans from "shadowservers" and they have a ton of IP's as well.</SPAN></P> Thu, 10 Jul 2025 15:05:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-block-traffic-from-a-specific-asn-using-dag/m-p/1233738#M6088 Layne-Corbett 2025-07-10T15:05:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-block-traffic-from-a-specific-asn-using-dag/m-p/1234163#M6097 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/68439">@Layne-Corbett</a>,</P> <P>You could use something like this&nbsp;<A href="https://iserv.nl/files/edl/feed.php" target="_blank">https://iserv.nl/files/edl/feed.php</A>&nbsp;if you didn't want to build out my own way of doing this via a script and an EDL that the firewall pulls. Personally, I would highly recommend building it out yourself so that you aren't dependent on some random resource online and you can customize it to your own liking.&nbsp;</P> <P>You could utilize something like&nbsp;<A href="https://api.bgpview.io/asn/14956/prefixes" target="_blank">https://api.bgpview.io/asn/14956/prefixes</A>&nbsp;for collecting the addresses and then feed them in as an EDL after (ideally) doing some validation to make sure that you aren't going to break things.&nbsp;</P> <P>&nbsp;</P> <P>It looks like AI pulled together some dynamic tags that would come into play if you had VM information sources configured and actively monitored. I've never once seen any reference to ip.src.asnum or ip.geoip.asnum in PAN-OS and the only thing I can find is AI generation when looking for them. This appears to be a complete hallucination and it has you going down a very incorrect path.&nbsp;</P> <P>&nbsp;</P> Wed, 16 Jul 2025 21:37:43 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-block-traffic-from-a-specific-asn-using-dag/m-p/1234163#M6097 BPry 2025-07-16T21:37:43Z