https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129065#M98608 <P>One more thing, I updated my&nbsp;<SPAN>MineMeld-source-List but on firewall I can see that&nbsp;</SPAN>'EDL(MineMeld-source-List) No changes to list file' ? And it is not working for updated IP (I reloaded indicator list)</P> Sat, 26 Nov 2016 13:40:59 GMT niuk 2016-11-26T13:40:59Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128817#M98603 <P>I need to create my list '<SPAN>MineMeld-source-List'&nbsp;</SPAN>of blocked IPs which I want to use in the rule. I tried to use prototype&nbsp;<A href="https://10.95.1.111/#/prototypes/stdlib/listIPv4Generic" target="_blank">stdlib.listIPv4Generic</A>&nbsp;as input where I can add indicators. Then used&nbsp;<A href="https://10.95.1.111/#/prototypes/stdlib/aggregatorIPv4Inbound" target="_blank">stdlib.aggregatorIPv4Inbound</A>&nbsp;based aggregator and subsribed firewall to&nbsp;<A href="https://10.95.1.111/#/prototypes/stdlib/feedHCGreen" target="_blank">stdlib.feedHCGreen</A>&nbsp;based output (<SPAN>MineMeld-source-List)</SPAN>. But on firewall I am getting warning EDL(vsys1/MineMeld-source-List ip) Downloaded file is either not a text file or empty file during policy commit. In the Logs/System I can see&nbsp;'EDL(MineMeld-source-List) EDL Fetch job done' every 5 min but it is not working. Also on firewall I can see:</P> <P>&nbsp;</P> <PRE>admin@MR-DC(active)&gt; request system external-list show type ip name MineMeld-source-List &nbsp; Server error : entry not found</PRE> <P>&nbsp;</P> Thu, 24 Nov 2016 20:25:49 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128817#M98603 niuk 2016-11-24T20:25:49Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128832#M98604 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11481">@niuk</a>,</P> <P>please could you share you MineMeld config ? You can export it from the CONFIG tab.</P> <P>&nbsp;</P> <P>Thanks !<BR />luigi</P> Thu, 24 Nov 2016 22:40:44 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128832#M98604 lmori 2016-11-24T22:40:44Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128841#M98605 <P>Here it is,&nbsp;I am referring to 'path' with 'source-*', so source-input, source-agggregator and source-output</P> <P>&nbsp;</P> <PRE>nodes: spamhaus_EDROP: output: true prototype: spamhaus.EDROP dshield_blocklist: output: true prototype: dshield.block inboundaggregator: inputs: - spamhaus_DROP - spamhaus_EDROP - dshield_blocklist - wlWhiteListIPv4 - panos_syslog_miner output: true prototype: stdlib.aggregatorIPv4Inbound inboundfeedhc: inputs: - inboundaggregator output: false prototype: stdlib.feedHCGreen spamhaus_DROP: output: true prototype: spamhaus.DROP wlWhiteListIPv4: inputs: [] output: true prototype: stdlib.listIPv4Generic inboundfeedlc: inputs: - inboundaggregator output: false prototype: stdlib.feedLCGreen inboundfeedmc: inputs: - inboundaggregator output: false prototype: stdlib.feedMCGreen panos_syslog_miner: inputs: [] output: true prototype: stdlib.syslogMiner syslog_analyzer: inputs: - inboundaggregator output: true prototype: stdlib.localSyslog source-WhiteList: inputs: [] output: true prototype: stdlib.listIPv4Generic source-aggregator: inputs: - source-WhiteList output: true prototype: stdlib.aggregatorIPv4Inbound source-output: inputs: - source-aggregator output: false prototype: stdlib.feedHCGreen </PRE> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 25 Nov 2016 01:15:56 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128841#M98605 niuk 2016-11-25T01:15:56Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128875#M98606 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11481">@niuk</a>&nbsp;!</P> <P>You have selected feedHCGreen, this output accepts&nbsp;only indicator with confidence above 75 (and by default indicators created in listIPv4Generic have confidence 100) and with <STRONG>share level green</STRONG>. Please double check all the indicators you have created are Green. Also the aggregator inbound accepts only indicator with direction Inbound, once again please check the indicators you have created have <STRONG>direction INBOUND or UNKNOWN</STRONG>.</P> <P>Once done you should be able to access your feed at https://&lt;minemeld ip address&gt;/feeds/source-output</P> <P>&nbsp;</P> <P>luigi</P> Fri, 25 Nov 2016 07:21:18 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/128875#M98606 lmori 2016-11-25T07:21:18Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129064#M98607 <P>It works now after changiung direction and share level. 'request system external..' still shows server error, but I can see the ip addresses dropped in logs by the rule using my&nbsp;MineMeld-source-List</P> <P>&nbsp;</P> <P>&nbsp;</P> <PRE>admin@MR-DC1-PFWP02(active)&gt; request system external-list show type ip name MineMeld-source-List Server error : entry not found</PRE> <P>&nbsp;</P> Sat, 26 Nov 2016 12:22:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129064#M98607 niuk 2016-11-26T12:22:30Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129065#M98608 <P>One more thing, I updated my&nbsp;<SPAN>MineMeld-source-List but on firewall I can see that&nbsp;</SPAN>'EDL(MineMeld-source-List) No changes to list file' ? And it is not working for updated IP (I reloaded indicator list)</P> Sat, 26 Nov 2016 13:40:59 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129065#M98608 niuk 2016-11-26T13:40:59Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129111#M98609 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11481">@niuk</a>,</P> <P>- check with the browser going directly to "https://&lt;minemeld ip address&gt;/feeds/source-output", do you see all the indicators you have creted ? If not:</P> <P>- check inside the&nbsp;MineMeld logs with the following query: "source:source-output&nbsp;op:DROP_UPDATE" to see if some indicators have been dropped by the feed</P> <P>- check if the EDL object is point to the right URL (https://&lt;minemeld ip address&gt;/feeds/source-output)</P> <P>- check inside the ms.log on PAN-OS for errors around EDL download</P> <P>&nbsp;</P> <P>Luigi</P> Sun, 27 Nov 2016 20:50:53 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129111#M98609 lmori 2016-11-27T20:50:53Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129112#M98610 <P><SPAN>- "https://&lt;minemeld ip address&gt;/feeds/source-output" is showing&nbsp;all the indicators I creted</SPAN></P> <PRE>10.199.107.10-10.199.107.10 192.168.3.0-192.168.3.255</PRE> <P>- &nbsp;nothing in&nbsp;<SPAN>"source:source-output&nbsp;op:DROP_UPDATE" but .. logs don't go too far because I receiverd Error receiving outputs Metrics internal error and restarted server</SPAN></P> <P><SPAN>-&nbsp;the EDL object &nbsp;points to the right URL&nbsp;I can test it with button click and as I said it is working fine for&nbsp;</SPAN></P> <PRE>192.168.3.0-192.168.3.255</PRE> <P>but not for &nbsp;which was added later, after feed created</P> <PRE>10.199.107.10-10.199.107.10</PRE> <P>&nbsp;</P> <P>But I 've noticed that after restarting MineMeld I have all Indicatiors blocked correctly by firewall. It happened to me that I had to restart server second time, practically every 2 days (I've got this internal error second time).</P> Sun, 27 Nov 2016 21:24:28 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129112#M98610 niuk 2016-11-27T21:24:28Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129116#M98611 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11481">@niuk</a>,</P> <P>logs are stored on disk, you don't lose them with restarts.</P> <P>&nbsp;</P> <P>Could you send me your /opt/minemeld/log/minemeld-engine.log and /opt/minemeld/log/minemeld-web.log files in a zip at lmori@paloaltonetworks.com ? I'd like to give a look at the internal errors.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>luigi</P> Sun, 27 Nov 2016 21:30:30 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/129116#M98611 lmori 2016-11-27T21:30:30Z https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/132295#M98612 <P>The error message&nbsp;</P> <P>&nbsp;</P> <PRE>Server error : entry not found</PRE> <P>&nbsp;</P> <P>is most likely caused by not setting the vsys, if you do,</P> <P>&nbsp;</P> <P>&gt; set system setting target-vsys vsys1</P> <P>&nbsp;</P> <P>This should work.</P> Fri, 09 Dec 2016 16:38:13 GMT https://live.paloaltonetworks.com/t5/general-topics/how-do-i-create-my-list-of-blocked-ips-for-firewall-to-feed-from/m-p/132295#M98612 Fengrui 2016-12-09T16:38:13Z