https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/285978#M76524 <P>Hi,</P><P>&nbsp;</P><P>We are planning to use&nbsp;<SPAN>URL type EDL (external dynamic list) in a security policy rule / URL filtering profile.</SPAN></P><P>&nbsp;</P><P><SPAN>Does PA translate the URL in the external dynamic list to IP address? using FQDN refresh (like if we created an FQDN object in the firewall)&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>How does it work exactly? any inputs would be appreciated.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Fri, 30 Aug 2019 11:18:10 GMT L1_ENG 2019-08-30T11:18:10Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/285978#M76524 <P>Hi,</P><P>&nbsp;</P><P>We are planning to use&nbsp;<SPAN>URL type EDL (external dynamic list) in a security policy rule / URL filtering profile.</SPAN></P><P>&nbsp;</P><P><SPAN>Does PA translate the URL in the external dynamic list to IP address? using FQDN refresh (like if we created an FQDN object in the firewall)&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>How does it work exactly? any inputs would be appreciated.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Fri, 30 Aug 2019 11:18:10 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/285978#M76524 L1_ENG 2019-08-30T11:18:10Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286011#M76527 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/121038">@L1_ENG</a>&nbsp;</P><P>The fqdn address objects are very different to the EDL. Even though you input a fqdn, from policy perspective it is still IP address object, even though the IP can change based on the preidic fqdn resolution.</P><P>EDL are just text files, which can be of URL, domain or IP address type. The IP EDL can be used as policy address match, similar to any other address object and group. However the URL type EDL can only be used in URL filtering profiles or in the URL Category match section of the security policies. URLs in the list are not resolved, because a EDL can have thousands of entries and it could introduce large processing overhead.</P><P>You can potentially use some external servers to resolve list of URL and convert it to an IP address list, which can be presented to the firewall. &nbsp;</P> Fri, 30 Aug 2019 13:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286011#M76527 BatD 2019-08-30T13:38:24Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286012#M76528 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/74884">@BatD</a>&nbsp;</P><P>Thank you for your explanation.</P><P>&nbsp;</P><P>Do you have any experience/input in blocking well known malicious domain/URL on Palo?</P><P>which options should we use? FQDN object/URL filtering or DNS sinkhole to block inbound and outbound traffic</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P> Fri, 30 Aug 2019 14:02:00 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286012#M76528 L1_ENG 2019-08-30T14:02:00Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286013#M76529 <P>Ideally you should use all methods, as they complement each other. The fqdn address objects are probably not suitable in this case, because you will have to creat too many, however you can have EDL feeds of known bad URL, in addition to using the Palo Alt URL filteing categories. DNS Synchole should be applied to user traffic, however it is not designed to block malicous URL, but rather than to detect users which are already infected.</P> Fri, 30 Aug 2019 15:16:35 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-list/m-p/286013#M76529 BatD 2019-08-30T15:16:35Z