Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-14-2014 02:49 PM
I have a pair of 3020s (configured for Active-Passive availability) and I'm trying to build an External Block List. I followed the documentation at Working with External Block List (EBL) Formats and Limitations. My EBL text file looks like this:
nnn.nnn.nnn.nnn 20140514 144338
where nnn is the octet of an IP address. There are several lines like that. None contain any of the special characters mentioned in the documentation.
When I go into the Dynamic Block List area of the GUI, and click the Test Source URL button, I get a pop-up message saying that the "Source URL is accessible". However, when I run an Import job to load the file, and use the CLI to check the output of the job, it show:
| Enqueued | ID | Type | Status Result Completed |
--------------------------------------------------------------------------
| 2014/05/14 15:40:15 | 1792 | EBLRefresh | FIN FAIL 15:41:10 |
Warnings:
Details:EBL(vsys1/Web Server Attackers) Unable to fetch external list. Using old copy for refresh.
EBL(vsys1/Web Server Attackers) EBLRefresh job failed. No valid IPs found in list
I have tried added "/32" subnet masks after the IP addresses, and that makes no difference.
Hopefully I'm not missing something obvious. Any suggestions?
05-14-2014 03:14 PM
Hello Efritz,
Could you please modify the refresh time of the block list and try to commit again.
Before applying the commit command, please follow the ms.logs to get some more information.
CLI> tail follow yes mp-log ms.log
Please find below few related docs, it might help you.
Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device
Re: How to use dynamic block list?
Dynamic Block List format clarification
Thanks
05-15-2014 07:50 AM
Hi HULK.
Here's what I did. I added two external blacklist URLS, and modified the refresh time of my original block list. I then committed. The firewall liked the external ones, but my internal one generated this error:
EBL(vsys1/Web Server Probe IPs) Unable to fetch external list. Using old copy for refresh.
As you can see, "Web Server Probe IDs" is the name of my block list. Here are the relevant lines from ms.log:
2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xe2209698 1196)
2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 0, 1) timer init expires(0, Thu May 15 09:45:35 2014)
2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xdf01bdf0 1196)
2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 0, 1) timer init expires(0, Thu May 15 08:55:35 2014)
2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xe26daab8 1196)
2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 0, 1) timer init expires(0, Thu May 15 09:05:35 2014)
2014-05-15 08:46:35.729 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 1, 1) looping
2014-05-15 08:46:35.730 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 1, 1) Build ips node(1412)
2014-05-15 08:46:35.731 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 1, 1) looping
2014-05-15 08:46:35.733 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 1, 1) Build ips node(1644)
2014-05-15 08:46:35.733 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) looping
2014-05-15 08:46:35.734 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) calling /usr/local/bin/newpanupdater.sh -s www.gljpc.com -xyes -turl -L6500000 -T5 -zhttp://www.gljpc.com/blacklist/blacklist.txt 2>/dev/null 1>/opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmpxx
2014-05-15 08:46:37.275 -0600 Error: pan_mgmt_get_sysd_uint32(pan_cfg_status_handler.c:325): failed to fetch: cfg.alarmlastacktime
2014-05-15 08:46:52.327 -0600 Error: pan_mgmt_get_sysd_uint32(pan_cfg_status_handler.c:325): failed to fetch: cfg.alarmlastacktime
2014-05-15 08:47:02.870 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/$//g' /opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmpxx 2>/dev/null > /opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmp
2014-05-15 08:47:02.907 -0600 Error: ebl_verify_new_fetched_copy(pan_cfg_ebl.c:720): EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) No valid entries found.
2014-05-15 08:47:02.907 -0600 Error: ebl_update_local_file(pan_cfg_ebl.c:892): EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Unable to fetch external list. Using old copy for refresh.
2014-05-15 08:47:02.907 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Unable to open EBL(/opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl)
2014-05-15 08:47:02.908 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Build ips node(1)
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) Refresh job cancelled
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) EBLRefresh job success
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) Releasing ebl
2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xdebc40f8 1196)
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) Refresh job cancelled
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) EBLRefresh job success
2014-05-15 08:47:14.207 -0600 EBL ALLOC free timer (0xeca6af98, 1496)
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) Releasing ebl
2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xe6c9b7a8 1196)
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) Refresh job cancelled
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) EBLRefresh job success
2014-05-15 08:47:14.207 -0600 EBL ALLOC free timer (0xe905e838, 1496)
2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) Releasing ebl
2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xe6b88120 1196)
Any ideas?
Erwin
12-23-2014 11:37 PM
EBL was not working in CLI 3020 and the same is accessible using GUI
Configured Random Ip list including the actual one and committed. It started working
2014/12/24 11:49:49 135 EBLRefresh FIN OK 11:49:50
2014/12/24 11:43:17 134 EBLRefresh FIN OK 11:43:21
2014/12/24 11:42:53 133 Commit FIN OK 11:43:21
2014/12/24 11:40:23 132 EBLRefresh FIN FAIL 11:41:31
2014/12/24 11:30:25 131 EBLRefresh FIN FAIL 11:31:33
2014/12/24 11:24:44 130 EBLRefresh FIN FAIL 11:25:51
12-26-2014 06:35 AM
Hello,
Have you checked your service routes? Make sure you are using the right interface to fetch the server that contains the list. Also, if you are using a proxy server, make sure that your configuration is correct.
Thanks.
12-26-2014 06:39 AM
If you are using the management interface for this connection, you can also do a tcpdump there to see what's going on.
> tcpdump snaplen 65533 filter "xxxxxxxxxx"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
