02-04-2016 03:28 PM
Hello Community,
Blacklist (such as IP Void or SpamHaus) with a suggestion that we should block that IP.
I'm hoping there's a way that we can leverage such a blacklist - for example, to have a rule in the FW that references an existing Blacklist (such as IP Void) and is able to dynamically update based upon the published list.
I know that the Palo Alto has a 'Dynamic Block List' option, but I"m not sure if there's a way to use that to make this work or not. Any insights or feedback you could provide would be appreciated.
Best Regards
02-05-2016 03:18 PM
Hello,
PAN does their own and its incorporated into one of the other fetaures, so yes it does this for you if you already have dynamic updates available.
Here is what I setup on mine:
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
Need to add?
http://cinsscore.com/list/ci-badguys.txt
Hope this helps!
02-05-2016 12:57 AM - edited 02-05-2016 12:58 AM
Hi,
That is possible.
First create your DBL :
After that you can simply refer to the DBL object in your security policy :
Hope this helps,
-Kim.
02-05-2016 02:53 AM
And rule action should not be Allow as it is on screenshot 🙂
02-05-2016 08:31 AM
Kiwi,
Do you know if is possible to updating automatically this file ? I mean, if it is possible this information is comming from a thirth party or organization that publish a blacklist like as raimbow tables.
best regards
02-05-2016 09:32 AM
I believe you just specify how often you want the list imported with the Repeat setting.
02-05-2016 10:27 AM
Hello,
Do you know if PA has a blacklist file or site, where I can update my DBL ?
02-05-2016 12:38 PM
Not that I'm aware of.
But you can use OpenBL one for example.
Address has to contain full address to the blacklist.
Like
http://www.openbl.org/lists/base_60days.txt
02-05-2016 12:40 PM - edited 02-05-2016 12:43 PM
I'm sure they don't.
02-05-2016 03:18 PM
Hello,
PAN does their own and its incorporated into one of the other fetaures, so yes it does this for you if you already have dynamic updates available.
Here is what I setup on mine:
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
Need to add?
http://cinsscore.com/list/ci-badguys.txt
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
