Dynamic Block List Question.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynamic Block List Question.

L3 Networker

 

Hello Community,

 

Blacklist (such as IP Void or SpamHaus) with a suggestion that we should block that IP.  

I'm hoping there's a way that we can leverage such a blacklist - for example, to have a rule in the FW that references an existing Blacklist (such as IP Void) and is able to dynamically update based upon the published list.  

I know that the Palo Alto has a 'Dynamic Block List' option, but I"m not sure if there's a way to use that to make this work or not.  Any insights or feedback you could provide would be appreciated.

 

Best Regards

Best Regards
1 accepted solution

Accepted Solutions

Hello,

PAN does their own and its incorporated into one of the other fetaures, so yes it does this for you if you already have dynamic updates available.

 

Here is what I setup on mine:

 

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

 

 

Need to add?

http://cinsscore.com/list/ci-badguys.txt

 

Hope this helps!

View solution in original post

8 REPLIES 8

Community Team Member

Hi,

 

That is possible.

 

First create your DBL :

 

2016-02-05_09-54-45.png

 

After that you can simply refer to the DBL object in your security policy :

 

2016-02-05_09-56-41.png

 

Hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

And rule action should not be Allow as it is on screenshot 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Kiwi,

 

Do you know if is possible to updating automatically this file ? I mean,  if it is possible this information is comming from a thirth party or organization that publish a blacklist like as raimbow tables.

 

best regards

Best Regards

I believe you just specify how often you want the list imported with the Repeat setting.  

Hello,

 

Do you know if PA has a blacklist file or site, where I can update my DBL ?

 

Best Regards

Not that I'm aware of.

But you can use OpenBL one for example.

www.openbl.org

Address has to contain full address to the blacklist.

Like

http://www.openbl.org/lists/base_60days.txt

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I'm sure they don't.  

Hello,

PAN does their own and its incorporated into one of the other fetaures, so yes it does this for you if you already have dynamic updates available.

 

Here is what I setup on mine:

 

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

 

 

Need to add?

http://cinsscore.com/list/ci-badguys.txt

 

Hope this helps!

  • 1 accepted solution
  • 5973 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!