- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-21-2013 07:46 AM
Is there a list of known bad IP addresses? I would like to include a dynamic block list in my policy but I don't have a list of known bad IP addresses. Does Palo Alto have a canned list of IPs that I can reference to insert into my policy?
03-21-2013 08:24 AM
I filed a feature request long time ago to have a feature known as Reputation based (DNS/IP) block list which works very well with one of the top IPS vendors in the market.
Until now nothing has been implemented so far, although BrightCloud already has a Reputation based Database which could be a source for this feature
03-21-2013 08:09 AM
Paloalto doesn't have list of bad ips database. you may use spamhaus.org to obtain that information but that would be a lot of work for you. I think the best practice for you is to focus on specific bad ips that are hitting your firewall and create a policy based on that
03-21-2013 08:24 AM
I filed a feature request long time ago to have a feature known as Reputation based (DNS/IP) block list which works very well with one of the top IPS vendors in the market.
Until now nothing has been implemented so far, although BrightCloud already has a Reputation based Database which could be a source for this feature
03-21-2013 02:32 PM
Hopefully this should be doable with PANDB or similar.
As a workaround you can download bad ip's like http://support.clean-mx.de/clean-mx/viruses.php among other places, create a txt-file with the bad ip's and use the dynamic rule stuff in PANOS 5.x (I think it was introduced) where the firewall every 5 minutes (or so depending on setting) will download this ip-list from your server and put this dynamically in a group which then is used to either allow or deny traffic.
03-21-2013 03:11 PM
Hi everyone,
Thanks for your comments - as mentioned, Palo Alto Networks does not have a downloadable list of bad/malicious IP addresses for people to import. Instead, as our threat team identifies malware, they automatically take any URL or IP associated with that threat and will include it as part of the PAN-DB URL filtering database.
There are certainly a number of 3rd party vendors such as spamhaus.org that provide downloadable lists that you are welcome to use with the dynamic block list feature.
--Doris
04-26-2013 08:00 PM
Use at your own risk but below are some sites to test the dynamic block, its not a long list but its a simple txt
Make sure you create a service route for the DNS , then select the dynamic block object as destination and test with ping before & after.
08-15-2013 06:49 AM
Doris,
I am new to Palo Alto. Getting asked this same question about IP Reputation lists. I assume that your reply would still be the same today. Need to get back to the customer and just want to confirm.
Thanks...
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!