I'd love to integrate lists of known malicious IPs like those in the links below into dynamic block lists, but I'm worried about overblocking or a bad feed hosing us. Has anyone used feeds similar to the ones below, either free or paid? What was your experience?
In my experience, using dynamic blocklist is a good mechanism since malicious sources frequently change. When it comes to over-blocking, I have actually only run into a couple of times where we ended up blocking an IP address that was actually legitimate. Overall my experience is that they are reliable.
those are ok to test but most of the free ones really are not' comprehensive enough. I've actually had some customer use opendns (paid), threatstop and others to get dns or other larger type block list.
typically the block list are really useful if an organization has a large threat feed (govt / dod etc..) or an enterprise with a large SOC / security analysis / incident response team that can actually manage the block list. Otherwise if you don't have the man power than use pan-db malware category(only as good as palo alto's threat feed) along with other threat feeds / security appliance / solutions etc for defense in depth.
If you are worried about false positives you can still setup the the black list but set your policy to permit with logging. Then take a look at the logs and see what would have been dropped before changing the action to deny.
setup external block lists
Thanks, Steven Puluka . That will be a little tough in our environment, but should give us at least some insight.
I wish there were a "log, continue" option that I could just place at the top of the shared pre-rules in Pano. Once traffic hit that rule, it wouldn't permit or deny, but simply create a log entry and continue down the ruleset.
email@example.com - Wow, I didn't realize OpenDNS offered a threat feed compatible with Palo's DBLs. I actually sat in a presentation by the OpenDNS guys at DEFCON this year. They're doing some amazing work. Thanks!
I'd love to integrate lists of known malicious IPs too.
Anyone is using a powershell script to automatice the deploy?
I´m trying to use the "Invoke-Webrequest" cmdlet to insert the IP address from the .txt file into a dynamic address group:
Invoke-WebRequest "$HostPA/api/?typetype=user-id&action=set&cmd=<uid-message><version>2.0</version><type>update</type><payload><register><entry ip="$ip"><tag><member>blacklist</member></tag></entry></register></payload> </uid-message>&key=$apikey"
I´d like to integrate the malicious IP address from panwdbl
Thanks in advance
Something we've run into with numerous customers using indeni to watch their PANW's:
They set up a dynamic block list, but then don't notice when the fetching of that list fails. It's basically a job that fails with the message "Unable to fetch external list. Using old copy for refresh." (see What Happens if the Server Configured for Dynamic Block Lists Becomes Unreachable?)
So keep your eye out for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!