09-01-2020 10:27 AM
I'm working through a best practices assessment and one of the recommendations is to create security policies to deny traffic inbound or outbound to the two default external dynamic lists: 'Palo Alto Networks - Known malicious IP addresses' and 'Palo Alto Networks - High risk IP addresses'. My concern, though, is that we have multiple sites connected via VPN, as well as numerous business critical connections. I would like to be able to put an exception in for these in advance, if possible, to make sure that if one of those critical IPs somehow gets added to the list we don't lose a connection to a remote site, or or drop a vendor connection. Unfortunately, it doesn't appear that there's any option to add manual entries, or override the EDL. The next option that comes to mind, then, would be to put this deny rule after all the other allow rules, which somewhat defeats the point of a 'deny evil IPs' rule. Any thoughts, or suggestions?
09-01-2020 05:56 PM
I really wouldn't be too terribly worried about any IP address that you actually require for legitimate business functions to make it onto these lists. I've actually never heard of anyone actually having any issue with that. If you want to ensure that these never those site-to-site tunnels, you could always include the security rulebase entries allowing access to those resources above the entries blocking access to the dynamic lists; assuming that these are static resources you already know the peer addresses so just include the know peers in any policy above the EDLs.
Again, I wouldn't be too worried about something accidentally being included on this.
09-01-2020 05:56 PM
I really wouldn't be too terribly worried about any IP address that you actually require for legitimate business functions to make it onto these lists. I've actually never heard of anyone actually having any issue with that. If you want to ensure that these never those site-to-site tunnels, you could always include the security rulebase entries allowing access to those resources above the entries blocking access to the dynamic lists; assuming that these are static resources you already know the peer addresses so just include the know peers in any policy above the EDLs.
Again, I wouldn't be too worried about something accidentally being included on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
