Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Dynamic Block List Site

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dynamic Block List Site

Not applicable

Is there a list of known bad IP addresses? I would like to include a dynamic block list in my policy but I don't have a list of known bad IP addresses. Does Palo Alto have a canned list of IPs that I can reference to insert into my policy?

1 accepted solution

Accepted Solutions

I filed a feature request long time ago to have a feature known as Reputation based (DNS/IP) block list which works very well with one of the top IPS vendors in the market.

Until now nothing has been implemented so far, although BrightCloud already has a Reputation based Database which could be a source for this feature

http://brightcloud.com/toc/webreputation.php

View solution in original post

6 REPLIES 6

Not applicable

Paloalto doesn't have list of bad ips database. you may use spamhaus.org to obtain that information but that would be a lot of work for you. I think the best practice for you is to focus on specific bad ips that are hitting your firewall and create a policy based on that

I filed a feature request long time ago to have a feature known as Reputation based (DNS/IP) block list which works very well with one of the top IPS vendors in the market.

Until now nothing has been implemented so far, although BrightCloud already has a Reputation based Database which could be a source for this feature

http://brightcloud.com/toc/webreputation.php

Hopefully this should be doable with PANDB or similar.

As a workaround you can download bad ip's like http://support.clean-mx.de/clean-mx/viruses.php among other places, create a txt-file with the bad ip's and use the dynamic rule stuff in PANOS 5.x (I think it was introduced) where the firewall every 5 minutes (or so depending on setting) will download this ip-list from your server and put this dynamically in a group which then is used to either allow or deny traffic.

L5 Sessionator

Hi everyone,

Thanks for your comments - as mentioned, Palo Alto Networks does not have a downloadable list of bad/malicious IP addresses for people to import.  Instead, as our threat team identifies malware, they automatically take any URL or IP associated with that threat and will include it as part of the PAN-DB URL filtering database. 

There are certainly a number of 3rd party vendors such as spamhaus.org that provide downloadable lists that you are welcome to use with the dynamic block list feature.

--Doris

L3 Networker

Use at your own risk but below are some sites to test the dynamic block, its not a long list but its a simple txt

Make sure you create a service route for the DNS , then select the dynamic block object as destination and test with ping before & after.

http://www.ciarmy.com/list/ci-badguys.txt

http://www.malwaredomainlist.com/hostslist/ip.txt

Doris,

I am new to Palo Alto.  Getting asked this same question about IP Reputation lists.   I assume that your reply would still be the same today.   Need to get back to the customer and just want to confirm.

Thanks...

Mike

  • 1 accepted solution
  • 5827 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!