08-28-2012 06:51 AM
I'd like to block a list of IP addresses based on the ZeuS IP Blocklist. What is the best/preferred method for doing this on the Palo Alto? Thanks
02-19-2013 11:26 AM
Here are some details on dynamic Block list
Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets.
The list must contain one IP address, range, or subnet per line, for example:
“192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255.
Example:
“2001:db8:123:1::1” or “2001:db8:123:1::/64”
IP Range:
To specify an address range, select IP Range, and enter a range of addresses. The format is:
ip_address–ip_address
where each address can be IPv4 or IPv6.
Example:
“2001:db8:123:1::1 - 2001:db8:123:1::22”
Enter a description for the block list (up to 255 characters). | |
08-28-2012 01:11 PM
You can partially automate this with a small bash script that reads the ZeuS IP blocklist and creates the CLI commands to modify the firewall.
#!/bin/bash
#
seq=1
today=$(date +%m/%d/%Y)
#
echo "set cli scripting-mode on"
echo "configure"
#
description="zeus $today"
#
for ip in $(egrep '^[1-9]' zeus.txt); do
name="zeus_${seq}"
echo "set address $name description \"$description\" ip-netmask $ip"
echo "set address-group bad_guys [ $name ]"
seq=$(($seq + 1))
done
#
echo " "
echo "commit"
echo "save config"
With a shortened zeus file, the output is:
set cli scripting-mode on
configure
set address zeus_1 description "zeus 08/28/2012" ip-netmask 103.11.74.6
set address-group bad_guys [ zeus_1 ]
set address zeus_2 description "zeus 08/28/2012" ip-netmask 108.163.232.202
set address-group bad_guys [ zeus_2 ]
set address zeus_3 description "zeus 08/28/2012" ip-netmask 108.163.247.74
set address-group bad_guys [ zeus_3 ]
set address zeus_4 description "zeus 08/28/2012" ip-netmask 109.127.8.242
set address-group bad_guys [ zeus_4 ]
set address zeus_5 description "zeus 08/28/2012" ip-netmask 109.127.8.246
set address-group bad_guys [ zeus_5 ]
set address zeus_6 description "zeus 08/28/2012" ip-netmask 109.169.58.188
set address-group bad_guys [ zeus_6 ]
set address zeus_7 description "zeus 08/28/2012" ip-netmask 109.202.98.26
set address-group bad_guys [ zeus_7 ]
commit
save config
Manually enter "set cli scripting-mode on" so that you can easily cut-n-paste the script output into the PA command line. Then, cut-n-paste the everything but the commit and save commands. If you do not get errors, perform the commit and save. This does require the presence of existing security policies that block traffic to and from the group bad_guys.
This can be further automated using Expect or the API once you are confident things are working. Note there is (or was) a limit of 500 objects in a group. But, you can use groups of groups to get around that. The scripting does get more complex. At that point, a better scripting language is in order.
02-19-2013 09:33 AM
PAN-OS 5.0 has a new feature called "Dynamic Block Lists". We have not yet tested the functionality but it looks like the answer to your need.
02-19-2013 11:26 AM
Here are some details on dynamic Block list
Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets.
The list must contain one IP address, range, or subnet per line, for example:
“192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255.
Example:
“2001:db8:123:1::1” or “2001:db8:123:1::/64”
IP Range:
To specify an address range, select IP Range, and enter a range of addresses. The format is:
ip_address–ip_address
where each address can be IPv4 or IPv6.
Example:
“2001:db8:123:1::1 - 2001:db8:123:1::22”
Enter a description for the block list (up to 255 characters). | |
02-19-2013 11:33 AM
Here is another Link for Dynamic Block Lists and Spamhaus
https://live.paloaltonetworks.com/docs/DOC-4146
Hopefully this helps.
Thank you
Numan
02-21-2013 04:51 AM
Thanks everyone for the responses. We've been actively using the dynamic block list feature since the 5.0 release (I guess I forgot to update this thread). We've been working with support on 1 issue we've been seeing when using the Spamhaus list.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
