Blocking lists of IPs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Blocking lists of IPs

Not applicable

I'd like to block a list of IP addresses based on the ZeuS IP Blocklist.  What is the best/preferred method for doing this on the Palo Alto?  Thanks

1 accepted solution

Accepted Solutions

L5 Sessionator

Here are some details on dynamic Block list

Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets.

The list must contain one IP address, range, or subnet per line, for example:

“192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255.

Example:

“2001:db8:123:1::1” or “2001:db8:123:1::/64”

IP Range:

To specify an address range, select IP Range, and enter a range of addresses. The format is:

ip_addressip_address

where each address can be IPv4 or IPv6.

Example:

“2001:db8:123:1::1 - 2001:db8:123:1::22”

Field

Description

Name

Enter a name to identify the Dynamic Block List (up to 32 characters). This name will appear when se...

Description

Enter a description for the block list (up to 255 characters).

Source

Enter an HTTP or HTTPS URL path that contains the text file. For example, http:\\1.1.1.1\myfile.txt....

Repeat

Specify the frequency in which the list should be imported. You can choose hourly, daily, weekly, or...

Test Source URL

Test that the source URL or server path is available.

View solution in original post

5 REPLIES 5

L2 Linker

You can partially automate this with a small bash script that reads the ZeuS IP blocklist and creates the CLI commands to modify the firewall.

#!/bin/bash

#

seq=1

today=$(date +%m/%d/%Y)

#

echo "set cli scripting-mode on"

echo "configure"

#

description="zeus $today"

#

for ip in $(egrep '^[1-9]' zeus.txt); do

    name="zeus_${seq}"

    echo "set address $name description \"$description\" ip-netmask $ip"

    echo "set address-group bad_guys [ $name ]"

    seq=$(($seq + 1))

done

#

echo " "

echo "commit"

echo "save config"

With a shortened zeus file, the output is:

set cli scripting-mode on

configure

set address zeus_1 description "zeus 08/28/2012" ip-netmask 103.11.74.6

set address-group bad_guys [ zeus_1 ]

set address zeus_2 description "zeus 08/28/2012" ip-netmask 108.163.232.202

set address-group bad_guys [ zeus_2 ]

set address zeus_3 description "zeus 08/28/2012" ip-netmask 108.163.247.74

set address-group bad_guys [ zeus_3 ]

set address zeus_4 description "zeus 08/28/2012" ip-netmask 109.127.8.242

set address-group bad_guys [ zeus_4 ]

set address zeus_5 description "zeus 08/28/2012" ip-netmask 109.127.8.246

set address-group bad_guys [ zeus_5 ]

set address zeus_6 description "zeus 08/28/2012" ip-netmask 109.169.58.188

set address-group bad_guys [ zeus_6 ]

set address zeus_7 description "zeus 08/28/2012" ip-netmask 109.202.98.26

set address-group bad_guys [ zeus_7 ]

commit

save config

Manually enter "set cli scripting-mode on" so that you can easily cut-n-paste the script output into the PA command line.  Then, cut-n-paste the everything but the commit and save commands.  If you do not get errors, perform the commit and save.  This does require the presence of existing security policies that block traffic to and from the group bad_guys.

This can be further automated using Expect or the API once you are confident things are working.  Note there is (or was) a limit of 500 objects in a group.  But, you can use groups of groups to get around that.  The scripting does get more complex.  At that point, a better scripting language is in order.

PAN-OS 5.0 has a new feature called "Dynamic Block Lists". We have not yet tested the functionality but it looks like the answer to your need.

L5 Sessionator

Here are some details on dynamic Block list

Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets.

The list must contain one IP address, range, or subnet per line, for example:

“192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255.

Example:

“2001:db8:123:1::1” or “2001:db8:123:1::/64”

IP Range:

To specify an address range, select IP Range, and enter a range of addresses. The format is:

ip_addressip_address

where each address can be IPv4 or IPv6.

Example:

“2001:db8:123:1::1 - 2001:db8:123:1::22”

Field

Description

Name

Enter a name to identify the Dynamic Block List (up to 32 characters). This name will appear when se...

Description

Enter a description for the block list (up to 255 characters).

Source

Enter an HTTP or HTTPS URL path that contains the text file. For example, http:\\1.1.1.1\myfile.txt....

Repeat

Specify the frequency in which the list should be imported. You can choose hourly, daily, weekly, or...

Test Source URL

Test that the source URL or server path is available.

L5 Sessionator

Here is another Link for Dynamic Block Lists and Spamhaus

https://live.paloaltonetworks.com/docs/DOC-4146

Hopefully this helps.

Thank you

Numan

Not applicable

Thanks everyone for the responses.  We've been actively using the dynamic block list feature since the 5.0 release (I guess I forgot to update this thread).  We've been working with support on 1 issue we've been seeing when using the Spamhaus list.

  • 1 accepted solution
  • 5927 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!