Default EDLs and manual exceptions

JessicaDavis — Tue, 01 Sep 2020 17:27:22 GMT

I'm working through a best practices assessment and one of the recommendations is to create security policies to deny traffic inbound or outbound to the two default external dynamic lists: 'Palo Alto Networks - Known malicious IP addresses' and 'Palo Alto Networks - High risk IP addresses'. My concern, though, is that we have multiple sites connected via VPN, as well as numerous business critical connections. I would like to be able to put an exception in for these in advance, if possible, to make sure that if one of those critical IPs somehow gets added to the list we don't lose a connection to a remote site, or or drop a vendor connection. Unfortunately, it doesn't appear that there's any option to add manual entries, or override the EDL. The next option that comes to mind, then, would be to put this deny rule after all the other allow rules, which somewhat defeats the point of a 'deny evil IPs' rule. Any thoughts, or suggestions?

Re: Default EDLs and manual exceptions

BPry — Wed, 02 Sep 2020 00:56:53 GMT

@JessicaDavis,

I really wouldn't be too terribly worried about any IP address that you actually require for legitimate business functions to make it onto these lists. I've actually never heard of anyone actually having any issue with that. If you want to ensure that these never those site-to-site tunnels, you could always include the security rulebase entries allowing access to those resources above the entries blocking access to the dynamic lists; assuming that these are static resources you already know the peer addresses so just include the know peers in any policy above the EDLs.

Again, I wouldn't be too worried about something accidentally being included on this.

topic Default EDLs and manual exceptions in General Topics

Default EDLs and manual exceptions

Re: Default EDLs and manual exceptions