Spamhaus Domain Block List (DBL) PANOS Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Spamhaus Domain Block List (DBL) PANOS Integration

L1 Bithead

I recently discovered that one of my favorite real time block list providers has a new block list for domains that are found in phishing emails. PANOS has the ability to use a dynamic block list (DBL)/(EBL) external block list, but from what I have gathered there is no way to get my PA to query domains found in the Spamhaus DBL and deny traffic to URL's where the domain is listed in the Spamhaus DBL. I think this would be a fantastic option. What would be the best avenue to suggest this as a future feature to be added?

In my opinion the URL filtering on my PA-3020's is good but not great. It does not seem to do well with URL's that point to domains that are specifically addressed by the Spamhaus DBL.

http://www.spamhaus.org/dbl/

What do you think?

1 accepted solution

Accepted Solutions

Hi vmChad,

We have open FR to add URL in DBL. Ask SE to vote for you. That will serve the purpose.

Priority: Medium

FR ID: 3070


Regards,

Hardik Shah


View solution in original post

11 REPLIES 11

L6 Presenter

Hi VmChad,

Please refer following document that should help.Dynamic Block Lists and Spamhaus

Regards,

Hardik Shah

Hardik,

Wow I feel like a dope, I searched this site for DBL and did not find the Spamhaus document that you linked to. I should have searched for Spamhaus and saved you some time. Sorry for being "that guy" and thanks for pointing me in the right direction.

Thanks,

Chad

Hi vmChad,

I am glad I was able to help you. Feel free to ask us as many questions as you want. We are here to help you.

Regards,

Hardik Shah

Hardik,

After looking at the solution you linked to I found that I need to clarify. The solution that you suggested only works by referencing a text file that contains IPs/net addresses. The Spamhaus DBL is different is it a domain block list and has a differnt purpose from the http://www.spamhaus.org/drop/drop.txt list.

From the Spamhaus FAQ:"The DBL uses DNS return codes in the 127.0.1.0/24 range. Queries regarding any domain listed in DBL and all IP queries will return a response code. If no code is returned (NXDOMAIN) the domain is not listed in DBL. DBL return codes in current and future use are:"

http://www.spamhaus.org/faq/section/Spamhaus%20DBL#277

The PANOS Dynamic Block Lists will not currently work with the Spamhaus DBL from what I can tell. It would be awesome if it could work together with the URL filtering database to keep my users from going to URL/domains that are actively being used for phishing and the like.

Thanks,

Chad

L6 Presenter

Hi vmChad,

DBL only supports IP/Network. You can not have URL in it. URL are considered as syntax error and those entries are skipped.

First line in provided document says "To support the Spamhaus Drop list with Dynamic Block Lists, you can use a linux web server which will host the text file with all bad IPs/net."

It says IPs/net, hence URLs are not supported.

Regards,

Hardik Shah

Hi vmChad,

Let me know if you have any additional query. I would be more than happy to help you with that.

Regards,

Hardik Shah

Hardik,

My original post was about whether or not PANOS would be able to leverage the Spamhaus DBL, which I now know that it will not. My secondary query in that post was what is the best way to submit this as a possible future integration.

I still think that this would be an awesome feature. While the PAN-DB URL database is pretty good, the Spamhaus DBL is far better at quickly identifying domains that are hosting phishing pages and malware links that are propagated via web links in email and email attachments.

Are others out there noticing that the PAN-DB is quote slow at identifying phishing URL's? The last time my firewall identified and blocked someone from going to a URL categorized as phishing was on September 23rd. I am certain that actual phishing sites have been access through our PA many times since September 23rd because I regularly access them in a sandbox environment through the PA as I test documents for end users that ask me if an attachment or link is safe. One of the zones on our firewall is for users in a public library to access the internet for free, I would say that it is safe to bet that multiple times per day those users are accessing phishing sites via the PA.

Thanks,

Chad

Hi vmChad,

We have open FR to add URL in DBL. Ask SE to vote for you. That will serve the purpose.

Priority: Medium

FR ID: 3070


Regards,

Hardik Shah


I tried to use the XML API directly to get this working but there seems to be an issue with the API:Custom URL Category update via API returns "Edit breaks config validity" error.

However, I did get this to work with panxapi using this:using panxapi to update a custom-url-category profile from a file

Still, I like the idea of the Feature Request so the firewall can update the DBL directly.

Hardik, thank you for opening the FR. I really appreciate it.

Hi Vmchad,

Np... Let me know how conversation goes with SE.

Regards,

Hardik Shah

  • 1 accepted solution
  • 6816 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!