Dynamic IP List import now failed

Reply
Highlighted
L6 Presenter

Re: Dynamic IP List import now failed

The recommendation is to use EDL's in two separate rules.

One to cover connections going out to the bad IP's

One to cover connections coming from the bad IP's.

L3 Networker

Re: Dynamic IP List import now failed

 

Ok, so I add another rule and will end up with 2 rules:

 

1. trust to untrust w/those 2 lists as destination

2. untrust to trust w/those 2 lists as source

 

 

L3 Networker

Re: Dynamic IP List import now failed

Next question, can someone help me create report to referrence these two policies?  I just want to know if its getting hits and if so from where, how many, time, etc..

L5 Sessionator

Re: Dynamic IP List import now failed

Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward.  There are several community articles and videos on the subject.  Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.

 

https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951

https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-and-Schedule-a-Custom-Repo...

 

You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like.  Please be sure to include a query to match on the relevant security policy rules.

 

Screen Shot 2018-02-09 at 10.04.21 AM.png

 

Here are the set commands from my example report:

 

set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"

 

And the XML:

 

reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}

L3 Networker

Re: Dynamic IP List import now failed

Thanks.

 

So I created the report locally on an HA pair that has the two rules configured and ran it for the past 24 hours but got 'No matching records.'   So to test I sent some traffic to one of the IPs on the list and ran the report again and it worked:

 

 

Day Received	Rule	Source Zone	Source address	Source Host Name	Source Port	Source Country	Destination Zone	Destination address	Destination Host Name	Destination Country	Destination Port	Action
Wed, Mar 14, 2018	outbound-PA-dynamic-BLOCK	trust	10.102.20.55	*******	0	10.0.0.0-10.255.255.255	untrust	183.81.171.242	183.81.171.242	Mongolia	0	deny

Thanks a ton bvandivier!  One last question, where can I grab the XML of those reports so I can load into another PA?  

L2 Linker

Re: Dynamic IP List import now failed

"Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations"

 

Is there a list of these high-trust organizations available?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!