Routing by country/region.

Reply
L1 Bithead

Routing by country/region.

Ok, Palo Gurus - 

 

I'm fairly new to the platform, but learning as quickly as I can.

 

As best I can tell, although Palo maintains lists of IP ranges associated with countries - "Regions" (Great!), these can only be referenced in security policies (Stupid.)

 

I tried referencing Regions both in the Static routing section of the Virtual Router (nope) AND the PBF section of the Policies Tab (nope), without success.

 

It seems ridiculous that the Palo platform would go to the effort to maintain these lists, but then only let you reference them for the purposes of ACLs.

Particularly in China, it is useful to route the domestic Chinese internet destinations locally, and alternate internet destinations via WAN.  This really should be simple, and I can't imagine Palo would need to write much code to allow Regions to be referenced across the platform where destination/source addressing is implicated.

Can anyone tell me -

A) Am I missing something here?

B) Is there a way to reference those built in Region address lists as "External Address Lists"?

C) How to politely get traction on a sensible feature request from the Palo dev team?
D) Some other way to get this done?

Thanks,
Nate

L7 Applicator

Re: Routing by country/region.


@NathanHughes wrote:

Can anyone tell me -

A) Am I missing something here?

B) Is there a way to reference those built in Region address lists as "External Address Lists"?

C) How to politely get traction on a sensible feature request from the Palo dev team?
D) Some other way to get this done?

Thanks,
Nate


A) Nope. This isn't a feature that is currently available in PAN-OS. 

B) No

C) What's the existing feature request number? Unless you get other customers to vote for the issue it isn't likely to be acted upon unless you are a very large customer who can force through the change with your purchasing power. 

D) The addresses assigned to China are relatively available as it is, you could definitely build out a list of addresses assigned to China if you were inclined to do so. 

L1 Bithead

Re: Routing by country/region.

Thanks for responding.

I guess I'm resigned to trying to create and maintain my own address list.

 

It seems pretty silly, seeing that Palo is doing that curation work already AND distributing updates to the FW regularly - I just can't access it in this specific part of the platform.

 

Can I reference Palo's Region lists AS external lists?  (ie. are they formatted properly and publicly published already)?

 

Nate

L7 Applicator

Re: Routing by country/region.

@NathanHughes,

To the best of my knowledge PAN does not share that list in a public accessible location. I would guess that doing so would violate the license to whichever geoIP database they are subscribing to, as is the case with most vendors. I don't suspect that PAN actually took the time to gather/maintain this themselves.  

L1 Bithead

Re: Routing by country/region.

I've noticed a few different places online that publish various lists (threat, etc) reformatted for Palo.

 

Does anyone know of any similarly published for country ranges?

Nate

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!