https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40105#M29409 <HTML><HEAD></HEAD><BODY><P>I hear ya man, there should be a DNS domain blacklist (dynamic list like Dynamic Block Lists). DNS blocking is really the only way you can do it. Object FQDN lookups won't work and don't scale. They have to constantly refresh the data at regular intervals, but malware domains can have slow TTLs, lower than the firewall and will skirt through. </P><P></P><P>URL filtering only filters web traffic and the traffic may not be web based. There are a lot of domains I would like to block at the IP level in the event the traffic is ssh, icmp tunneling, etc.Still trying to figure that one out.</P></BODY></HTML> Fri, 05 Dec 2014 21:00:15 GMT rbergen 2014-12-05T21:00:15Z https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40103#M29407 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am considering the use of a domain name blacklist published by the DNS-BH project in a custom URL category that will block access to any of the included domains.&nbsp; However, the list is over 12K entries long, which obviously doubles when I add an additional wildcard entry for each.&nbsp; So, i have a few questions.&nbsp; </P><P></P><P>First, does it make sense to try to achieve my goal of blocking http to known malware sites using this method?&nbsp; Is there a max URL category list limit what this would exceed, or will there be a performance hit related to comparing URL domain against a 24K list that makes this option unrealistic (on PA-200 up to PA-5020)?&nbsp; Can an update of the custom URL category list be automated via the CLI from a text file?</P><P></P><P>Also, If I wanted to block access to these domains for more than just http traffic, what other options do i have?</P><P></P><P>Thanks</P></BODY></HTML> Thu, 30 Aug 2012 01:14:07 GMT https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40103#M29407 schaleg 2012-08-30T01:14:07Z https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40104#M29408 <HTML><HEAD></HEAD><BODY><P>If your purpose is to block malware sites, the best way would be to do it by blocking the category "malware-sites" and use the dynamic URL filtering. The firewall will determine the URL is a malware website are not by doing search on the cloud database (brightcloud.com). The cloud database gets updated frequently with all kinds of URL's. You can visit brightcloud.com and test a few URL's that are present in the dns-bh list.</P></BODY></HTML> Thu, 30 Aug 2012 08:03:59 GMT https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40104#M29408 sdurga 2012-08-30T08:03:59Z https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40105#M29409 <HTML><HEAD></HEAD><BODY><P>I hear ya man, there should be a DNS domain blacklist (dynamic list like Dynamic Block Lists). DNS blocking is really the only way you can do it. Object FQDN lookups won't work and don't scale. They have to constantly refresh the data at regular intervals, but malware domains can have slow TTLs, lower than the firewall and will skirt through. </P><P></P><P>URL filtering only filters web traffic and the traffic may not be web based. There are a lot of domains I would like to block at the IP level in the event the traffic is ssh, icmp tunneling, etc.Still trying to figure that one out.</P></BODY></HTML> Fri, 05 Dec 2014 21:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/using-a-large-destination-domain-blacklist/m-p/40105#M29409 rbergen 2014-12-05T21:00:15Z