topic Re: New Palo Alto User - Dynamic Block List in General Topics

New Palo Alto User - Dynamic Block List

dmodien — Thu, 18 Apr 2013 00:23:23 GMT

Hi there,

I just got a new Palo Alto and I would like to load some IPs in a Dynamic Block List. I have set up a Windows IIS Webserver on an old Server 2003 box with an IP 192.168.1.33 I have the site up and working and anoymous users can connect to it by going to http://192.168.1.33/test.txt. The document test.txt and is formatted like so:

192.168.1.97

192.168.1.98

192.168.1.99

When I configure the Dynamic Block List and click "Test URL" I get URL Access Error. If I use a non-domain account or computer on the network and type the URL as above I get access to the site. Can anyone advise what I am missing to get this to work? I have tried turning off the firewall, I can connect with anoymous users, there are no error logs on the server, wireshark doesn't show any attempt or traffic from the firewall IP when I click test URL.

Thanks for any advice!

Re: New Palo Alto User - Dynamic Block List

emr_1 — Thu, 18 Apr 2013 04:32:52 GMT

Hi,

Usually, PA uses own MGT port as a source port.

Are you connecting MGT port to your network and is it reachable from MGT to Win2003?

My PA-200 with 5.0.4 is working fine for Dynamic Block List.

Regards,

Emr

Re: New Palo Alto User - Dynamic Block List

Retired Member — Thu, 18 Apr 2013 04:33:29 GMT

Have you checked if your management ip has access to that ip address ?

Re: New Palo Alto User - Dynamic Block List

MashRotor — Fri, 26 Apr 2013 19:21:01 GMT

I'm running 5.0.2 on a 5060 and have the same problem. The firewall is wide open to the 5060 and I'm running tcpdump on the webserver, with no sign that the 5060 has even tried to connect to port 80 and retrieve the page.

We will be upgrading to 5.0.4, so hopefully this problem goes away with the upgrade.

Re: New Palo Alto User - Dynamic Block List

sjamaluddin — Fri, 26 Apr 2013 22:40:25 GMT

Do you want the management interface to access the dynamic block list

If so,

1. the dynamic block list must be referenced in a security policy

2. the management interface must have access to the web server that houses the dynamic block list

3. If you have a service route for the URL (brightcloud updates) pointing out of the Untrust or the Trust interface, the request for the dynamic block list will also go out that way as such you must then create as service route explicitly stating that to get to the web server with the block list use the management interface (you can configure this in the right hand panel of the service router configuration)

Re: New Palo Alto User - Dynamic Block List

dmodien — Fri, 26 Apr 2013 23:55:50 GMT

My problem was fixed by adding a service route under device, service tab and then clicking add service route. In this section I had to add info specifying that the PA use internal interface to reach my web server rather than the management IP. This was pretty easy and it worked immediately after the commit.

Thanks to everyone who responded.