PAN-OS 7.1 Videos

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

PAN-OS 7.1 URL Filtering - Dynamic Block List - External Block List EDL

by on ‎03-09-2016 12:46 PM - edited on ‎10-04-2016 08:15 PM by (27,422 Views)

In earlier versions of PAN-OS, Dynamic Block List (EDL - External Dynamic List) or External Block Lists (EBL) allowed a firewall administrator to block a list of IP subnets or ranges based on an external file containing the IPs.


Starting with PAN-OS 7.1, blocking like this has become easier than ever with the introduction of URLs as a separate list type.

 

 

Requirements

  • Each URL list is treated as a category, using the name of the list as the category name.
  • Those categories are available in URL filtering profiles and in the security rules.
  • Updates can be set to 5 minutes, hourly, daily, weekly, or monthly.
  • If a 5-minute interval is set, only changes to list content will trigger a commit, and only once-per-hour.
  • If the list is updated on the external site, but it’s not seen on the local firewall, check the config audit/candidate config to see the new items pulled from the list.
  • The URL list can be hosted on an HTTPS site. All validation will be checked (CA validation, CN/SAN check, expiration check, OCSP, & CRL).

Hardware specs

PA-200, PA-500, PA-2000, PA-3000, PA-4000 and PA-VM platforms

  • 30 lists combined (IP + DNS + URL).
  • 50,000 IPs total with no individual list limitation.
  • 50,000 total DNS + URLs combined, no limit per list.

PA-5000 & PA-7000 series

  • 30 lists combined (IP + DNS + URL).
  • 150,000 IPs total with no individual list limitation.
  • 50,000 total DNS + URLs combined, no limit per list.

Note: If more than the maximum 50K URLs is used, the firewall will use the first 50K and truncate the list. A system log is generated for this event.

 

Configuration

Step 1. To create a new External list, navigate to Objects > External Dynamic Lists > Add. I used 'Bad Mojo' as the name. Add the external Source. I used "http://www.example.com/url-list.txt". Also notice the 'repeat.' which is set to 'Five Minute' as the refresh rate for this external list.

 

Step 2. To create a New URL Filtering Profile inside Objects > Security Profiles > URL Filtering > Add a new profile. Scroll to the bottom to see the newly created list.
Note: Action is 'allow' for new profiles created after the EDL is created.

 

Step 3. To edit an existing profile, choose Objects > Security Profiles > URL Filtering, Edit it by clicking on the name.
Note: Action is 'none' until an admin changes it. Same behavior as custom URL categories.

 

Step 4. Inside  a Secutiy Policy View (Policies > Security), click on a rule name to edit the rule, then inside the Service/URL Category, you will see the Bad Mojo list under External Dynamic Lists:

 

Step 5. Commit to enable this list. 

 

List format requirements

  • List must be a plain text document (no HTML, no PDF, etc.).
  • Scheme is optional, and will be truncated if found – even if it is incomplete.
  • http:// is not needed.
  • Wildcards (*) are supported.
  • Maximum length per line is 1024 characters.
  • Double-byte characters not supported.
  • If specifying a domain, use both formats (as with custom URL categories):
    • example.com
    • *.example.com

 

CLI changes (creating dynamic block list)

Multi-vsys environment:
> set shared/<vsys vsys> external-list <tab>

{displays a list of current added lists }

<name>

 

> set shared/<vsys vsys1> external-list <name>

+ description description

+ url         url

+ type        type

> recurring   recurring

<Enter> Finish input

 

> set shared/<vsys vsys1> external-list <name> type <tab>

+ domain Domain List

+ ip IP List

+ url URL List

 

Single-vsys environment:
> set external-list <tab>

-list of current added lists

<name>

 

> set external-list <name>

+ description description

+ url       url

+ type      type

> recurring recurring

<Enter> Finish input

 

> set external-list <name> type <tab>

+ domain Domain List

+ ip IP List

+ url URL List

 

Panorama:
> set shared/<device-group dg name> external-list <tab>

{displays a list of current added lists}

<name>

 

> set shared/device-group dg name> external-list <name>

+ description description

+ url       url

+ type      type

+ recurring recurring

<Enter> Finish input

 

> set shared/device-group dg name> external-list <name> type <tab>

+ domain Domain List

+ ip IP List

+ url URL List


CLI changes (refresh & show commands)

> request system external-list show type

+ domain Domain list type

+ ip    IP list type

+ url   URL list type

 

> request system external-list show type url name <tab>

+ edl-url1  edl-url1

+ edl-url2  edl-url2

+ <name>    <name>

 

> request system external-list show type url name edl-url1

{displays list of URL entries}

 

> request system external-list refresh type

+ domain Domain list type

+ ip   IP list type
+ url  URL list type

 

> request system external-list refresh type url name <tab>

+ edl-url1 edl-url1
+ edl-url2 edl-url2
+ <name>   <name>

 

> request system external-list refresh type url name edl-url1

 

Panorama

When managing versions older than 7.1, only 'IP' type external block lists may be used.


Objects of type 'url' will be stripped from the config when pushed to a 7.0 or older PAN-OS version.

  • If a policy references a URL list type, commit will fail.

 

See also

PAN-OS 7.1 Resource List

 

 

Comments
by ascit
on ‎04-07-2016 05:05 PM

Can comments be added to the list?

by rkramer
on ‎05-11-2016 05:54 AM

 Does this require a URL filtering license?

by Sean_Engelbrecht
on ‎11-11-2016 01:36 PM

I am trying to find documentation on how the firewalls react if/when the cannot reach the EDL ? 

 

I was about to commit the changes to some firewalls when that thought crossed my mind... 

 

Thanks

by Boehm
on ‎11-14-2016 12:23 AM

Hello,

 

it's simpel, the firewall use the old EDL. You can see this in syslog:

 

'EDL(xxxxxx) Unable to fetch external dynamic list. HTTP response code said error Using old copy for refresh.'

 

If you configure this for the first time, you can test fetching.

 

Ralf

by mdyragos
on ‎11-21-2016 08:10 AM

"

  • If a 5-minute interval is set, only changes to list content will trigger a commit, and only once-per-hour.

"

 

Why would one want to use a 5 minute interval when the changes are only committed once per hour?  This sounds like it would consume needless cycles on the system.

by Boehm
on ‎11-21-2016 10:59 PM

Hello,

 

I think it is usefull. Exampel: you use 1h intervall, 10 minutes after the last check the list on the external source was updated, the firewall will have this 50 minutes later. If you use 5 minute intervall, the firewall will have the changes only 5 minutes later. For security this can be important.

 

Generaly I think, the intervall will depends on the dynamic of the external list, how often changes will occur.

 

I understand the points:

...

  • Updates can be set to 5 minutes, hourly, daily, weekly, or monthly.
  • If a 5-minute interval is set, only changes to list content will trigger a commit, and only once-per-hour.

...

so, if you select "hourly, daily, weekly, or monthly" the list content will general commited, independent of changes. If you select 5-minute interval, then ONLY changes to list content will trigger a commit, and only once-per-hour.

 

Ralf

by
on ‎12-20-2016 02:16 PM

@rkramer,

Sorry for the long delay, I did not see this question. 

I have confirmed that there is no URL license is needed to get this to work.

by Sean_Engelbrecht
on ‎01-03-2017 12:40 PM

Is there any way to adjust the commit timer on the firewalls ?

 

We are working on streamlining some of our processes, and an hour delay may not be acceptable. We were thinking something like 15-20 minutes would be more palatable. 

 

--Sean Engelbrecht

 

by Boehm
on ‎01-03-2017 11:30 PM
Hello, I think no. Please contact your support. I agree with you, that one hour in some cases may be too long. Also I think, you should make a feature-request. Ralf
Register now
Ask Questions Get Answers Join the Live Community