09-22-2014 11:40 AM
Greetings,
I'm migrating from regionalized TMG environment, to a distributed Palo Alto design at a great number of sites. One of the banes of our TMG existence is maintaining a list of allowed internet sites that anyone on the network can get to VIA a trust to untrust policy (Even those non-domain devices). Things like HR sites, retirement, health care, etc. This list is long, changes often, and must be changed on many firewalls. We are looking for something a little more automated. We are running 5.10 code, and will NOT have Panorama deployed until well into 2015.
URL filtering is great. Specifically, the ability to use wild cards in the URL's, and to chose weather to allow or deny traffic in policy. However, modifications are tedious at best, and every firewall must be touched. (Well over 150 right now!)
Dynamic Block Lists are nearly perfect for this task, if only they could be "Dynamic Lists" and we could chose to block or allow. The disadvantage here is that EBL's are IP addresses, and not URL's.
Is there a way to maintain a list of URLs in a text or XML file on a server, to be referenced by an "Allow" policy, on all of the firewalls on some interval? In other words, Dynamic Block List behavior, with URL filter functionality?
Can it be done?
Thanks,
09-22-2014 12:30 PM
Hi Aklugherz,
I dont see any way to add lots of URLs in text file which firewall can use. I would suggest to contact your Sales Engineer, he might have better insight to this.
Regards,
Hardik Shah
09-22-2014 12:42 PM
Hello aklugherz,
Please find below few documents regarding EBL, for your reference:
Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device
Working with External Block List (EBL) Formats and Limitations
Thanks
09-22-2014 12:48 PM
Thanks Hulk,
I use dynamic block lists to block websites. It's fantastic, in that we only have to maintain a single file with bad sites on a server somewhere, and the firewalls just go get it.
What I'm looking for now is the exact opposite effect: A file hosted on a server, that lists URL's that are allowed.
10-03-2014 10:56 AM
We do have the option to add sites to a whitelist in the URL profile, but it wouldn't be exactly like the External Block List you mentioned.
Thanks!
10-03-2014 01:45 PM
Hello aklugherz,
I believe the dynamic allow list is not supported at the moment with PAN firewall. Do not see any existing feature requests as well. As suggested previously, your best bet would be to contact your SE who can file a request on your behalf
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
