https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23478#M17124 <HTML><HEAD></HEAD><BODY><P>Greetings,</P><P></P><P>I'm migrating from regionalized TMG environment, to a distributed Palo Alto design at a great number of sites. One of the banes of our TMG existence is maintaining a list of allowed internet sites that anyone on the network can get to VIA a trust to untrust policy (Even those non-domain devices).&nbsp; Things like HR sites, retirement, health care, etc.&nbsp; This list is long, changes often, and must be changed on many firewalls.&nbsp; We are looking for something a little more automated.&nbsp; We are running 5.10 code, and will NOT have Panorama deployed until well into 2015.</P><P></P><P>URL filtering is great.&nbsp; Specifically, the ability to use wild cards in the URL's, and to chose weather to allow or deny traffic in policy.&nbsp; However, modifications are tedious at best, and every firewall must be touched.&nbsp; (Well over 150 right now!)</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Dynamic Block Lists are nearly perfect for this task, if only they could be "Dynamic Lists" and <EM>we could chose</EM> to block or allow.&nbsp; The disadvantage here is that EBL's are IP addresses, and not URL's.</SPAN></P><P></P><P>Is there a way to maintain a list of URLs in a text or XML file on a server, to be referenced by an "Allow" policy, on all of the firewalls on some interval?&nbsp; In other words, Dynamic Block List behavior, with URL filter functionality?</P><P></P><P>Can it be done?</P><P></P><P>Thanks,</P></BODY></HTML> Mon, 22 Sep 2014 18:40:48 GMT aklugherz 2014-09-22T18:40:48Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23478#M17124 <HTML><HEAD></HEAD><BODY><P>Greetings,</P><P></P><P>I'm migrating from regionalized TMG environment, to a distributed Palo Alto design at a great number of sites. One of the banes of our TMG existence is maintaining a list of allowed internet sites that anyone on the network can get to VIA a trust to untrust policy (Even those non-domain devices).&nbsp; Things like HR sites, retirement, health care, etc.&nbsp; This list is long, changes often, and must be changed on many firewalls.&nbsp; We are looking for something a little more automated.&nbsp; We are running 5.10 code, and will NOT have Panorama deployed until well into 2015.</P><P></P><P>URL filtering is great.&nbsp; Specifically, the ability to use wild cards in the URL's, and to chose weather to allow or deny traffic in policy.&nbsp; However, modifications are tedious at best, and every firewall must be touched.&nbsp; (Well over 150 right now!)</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Dynamic Block Lists are nearly perfect for this task, if only they could be "Dynamic Lists" and <EM>we could chose</EM> to block or allow.&nbsp; The disadvantage here is that EBL's are IP addresses, and not URL's.</SPAN></P><P></P><P>Is there a way to maintain a list of URLs in a text or XML file on a server, to be referenced by an "Allow" policy, on all of the firewalls on some interval?&nbsp; In other words, Dynamic Block List behavior, with URL filter functionality?</P><P></P><P>Can it be done?</P><P></P><P>Thanks,</P></BODY></HTML> Mon, 22 Sep 2014 18:40:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23478#M17124 aklugherz 2014-09-22T18:40:48Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23479#M17125 <HTML><HEAD></HEAD><BODY><P>Hi Aklugherz,</P><P></P><P>Dynamic Block list allow only subnet/IPs in it. Rest all is illegal and it just ignore it.</P><P></P><P>I didnt find any existing Feature Request for the same. </P><P></P><P>Regards,</P><P>Hardik SHah</P></BODY></HTML> Mon, 22 Sep 2014 18:50:57 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23479#M17125 hshah 2014-09-22T18:50:57Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23480#M17126 <HTML><HEAD></HEAD><BODY><P>Hi Aklugherz,</P><P></P><P>I dont see any way to add lots of URLs in text file which firewall can use. I would suggest to contact your Sales Engineer, he might have better insight to this.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 22 Sep 2014 19:30:38 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23480#M17126 hshah 2014-09-22T19:30:38Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23481#M17127 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1420" data-externalid="" data-presence="null" data-userid="29734" data-username="aklugherz" href="https://live.paloaltonetworks.com/people/aklugherz" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;"><SPAN class="GINGER_SOFTWARE_mark">aklugherz</SPAN></A></STRONG>,</P><P></P><P><SPAN class="GINGER_SOFTWARE_mark">Please find below few</SPAN> documents regarding EBL, for your reference:</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5850">Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4724">Working with External Block List (EBL) Formats and Limitations</A></P><P></P><P>Thanks</P></BODY></HTML> Mon, 22 Sep 2014 19:42:58 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23481#M17127 HULK 2014-09-22T19:42:58Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23482#M17128 <HTML><HEAD></HEAD><BODY><P>Thanks Hulk,</P><P></P><P>I use dynamic block lists to block websites.&nbsp; It's fantastic, in that we only have to maintain a single file with bad sites on a server somewhere, and the firewalls just go get it.</P><P></P><P>What I'm looking for now is the exact <EM>opposite</EM> effect:&nbsp; A file hosted on a server, that lists URL's that are <STRONG>allowed</STRONG>.</P></BODY></HTML> Mon, 22 Sep 2014 19:48:01 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23482#M17128 aklugherz 2014-09-22T19:48:01Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23483#M17129 <HTML><HEAD></HEAD><BODY><P>We do have the option to add sites to a whitelist in the URL profile, but it wouldn't be exactly like the External Block List you mentioned.</P><P></P><P>Thanks!</P></BODY></HTML> Fri, 03 Oct 2014 17:56:25 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23483#M17129 mmmccorkle 2014-10-03T17:56:25Z https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23484#M17130 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 12px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1420" data-externalid="" data-presence="null" data-userid="29734" data-username="aklugherz" href="https://live.paloaltonetworks.com/people/aklugherz" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">aklugherz</A></STRONG>,</P><P></P><P>I believe the dynamic allow list is not supported at the moment with PAN firewall. Do not see any existing feature requests as well. As suggested previously, your best bet would be to contact your SE who can file a request on your behalf</P><P></P><P>Thanks</P></BODY></HTML> Fri, 03 Oct 2014 20:45:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dynamic-quot-allow-quot-lists-possible/m-p/23484#M17130 tshiv 2014-10-03T20:45:13Z