Dynamic "Allow" Lists possible?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Dynamic "Allow" Lists possible?

Not applicable


I'm migrating from regionalized TMG environment, to a distributed Palo Alto design at a great number of sites. One of the banes of our TMG existence is maintaining a list of allowed internet sites that anyone on the network can get to VIA a trust to untrust policy (Even those non-domain devices).  Things like HR sites, retirement, health care, etc.  This list is long, changes often, and must be changed on many firewalls.  We are looking for something a little more automated.  We are running 5.10 code, and will NOT have Panorama deployed until well into 2015.

URL filtering is great.  Specifically, the ability to use wild cards in the URL's, and to chose weather to allow or deny traffic in policy.  However, modifications are tedious at best, and every firewall must be touched.  (Well over 150 right now!)

Dynamic Block Lists are nearly perfect for this task, if only they could be "Dynamic Lists" and we could chose to block or allow.  The disadvantage here is that EBL's are IP addresses, and not URL's.

Is there a way to maintain a list of URLs in a text or XML file on a server, to be referenced by an "Allow" policy, on all of the firewalls on some interval?  In other words, Dynamic Block List behavior, with URL filter functionality?

Can it be done?



L6 Presenter

Hi Aklugherz,

Dynamic Block list allow only subnet/IPs in it. Rest all is illegal and it just ignore it.

I didnt find any existing Feature Request for the same.


Hardik SHah

L6 Presenter

Hi Aklugherz,

I dont see any way to add lots of URLs in text file which firewall can use. I would suggest to contact your Sales Engineer, he might have better insight to this.


Hardik Shah

L7 Applicator

Thanks Hulk,

I use dynamic block lists to block websites.  It's fantastic, in that we only have to maintain a single file with bad sites on a server somewhere, and the firewalls just go get it.

What I'm looking for now is the exact opposite effect:  A file hosted on a server, that lists URL's that are allowed.

We do have the option to add sites to a whitelist in the URL profile, but it wouldn't be exactly like the External Block List you mentioned.


Hello aklugherz,

I believe the dynamic allow list is not supported at the moment with PAN firewall. Do not see any existing feature requests as well. As suggested previously, your best bet would be to contact your SE who can file a request on your behalf


  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!