Default EDLs and manual exceptions

Reply
Highlighted
L0 Member

Default EDLs and manual exceptions

I'm working through a best practices assessment and one of the recommendations is to create security policies to deny traffic inbound or outbound to the two default external dynamic lists: 'Palo Alto Networks - Known malicious IP addresses' and  'Palo Alto Networks - High risk IP addresses'. My concern, though, is that we have multiple sites connected via VPN, as well as numerous business critical connections. I would like to be able to put an exception in for these in advance, if possible, to make sure that if one of those critical IPs somehow gets added to the list we don't lose a connection to a remote site, or or drop a vendor connection. Unfortunately, it doesn't appear that there's any option to add manual entries, or override the EDL. The next option that comes to mind, then, would be to put this deny rule after all the other allow rules, which somewhat defeats the point of a 'deny evil IPs' rule. Any thoughts, or suggestions?


Accepted Solutions
Highlighted
Cyber Elite

@JessicaDavis,

I really wouldn't be too terribly worried about any IP address that you actually require for legitimate business functions to make it onto these lists. I've actually never heard of anyone actually having any issue with that. If you want to ensure that these never those site-to-site tunnels, you could always include the security rulebase entries allowing access to those resources above the entries blocking access to the dynamic lists; assuming that these are static resources you already know the peer addresses so just include the know peers in any policy above the EDLs. 

 

Again, I wouldn't be too worried about something accidentally being included on this. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@JessicaDavis,

I really wouldn't be too terribly worried about any IP address that you actually require for legitimate business functions to make it onto these lists. I've actually never heard of anyone actually having any issue with that. If you want to ensure that these never those site-to-site tunnels, you could always include the security rulebase entries allowing access to those resources above the entries blocking access to the dynamic lists; assuming that these are static resources you already know the peer addresses so just include the know peers in any policy above the EDLs. 

 

Again, I wouldn't be too worried about something accidentally being included on this. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!