Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

EBL can be seen by PA3020 in GUI, but cannot be read in CLI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

EBL can be seen by PA3020 in GUI, but cannot be read in CLI

L1 Bithead

I have a pair of 3020s (configured for Active-Passive availability) and I'm trying to build an External Block List. I followed the documentation at Working with External Block List (EBL) Formats and Limitations. My EBL text file looks like this:

nnn.nnn.nnn.nnn 20140514 144338

where nnn is the octet of an IP address. There are several lines like that. None contain any of the special characters mentioned in the documentation.

When I go into the Dynamic Block List area of the GUI, and click the Test Source URL button, I get a pop-up message saying that the "Source URL is accessible". However, when I run an Import job to load the file, and use the CLI to check the output of the job, it show:

Enqueued                 ID         TypeStatus Result Completed

--------------------------------------------------------------------------

2014/05/14 15:40:15    1792   EBLRefresh   FIN   FAIL 15:41:10

Warnings:

Details:EBL(vsys1/Web Server Attackers) Unable to fetch external list.  Using old copy for refresh.

EBL(vsys1/Web Server Attackers) EBLRefresh job failed. No valid IPs found in list

I have tried added "/32" subnet masks after the IP addresses, and that makes no difference.

Hopefully I'm not missing something obvious. Any suggestions?

5 REPLIES 5

L7 Applicator

Hello Efritz,

Could you please modify the refresh time of the block list and try to commit again.

Before applying the commit command, please follow the ms.logs to get some more information.

CLI> tail follow yes mp-log ms.log

Please find below few related docs, it might help you.

Configuring Dynamic Block List (EBL) on a Palo Alto Networks Device

dynamic block list

Re: How to use dynamic block list?

Dynamic Block List format clarification

Thanks

Hi HULK.

Here's what I did. I added two external blacklist URLS, and modified the refresh time of my original block list. I then committed. The firewall liked the external ones, but my internal one generated this error:

EBL(vsys1/Web Server Probe IPs) Unable to fetch external list.  Using old copy for refresh.


As you can see, "Web Server Probe IDs" is the name of my block list. Here are the relevant lines from ms.log:


2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xe2209698 1196)

2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 0, 1) timer init expires(0, Thu May 15 09:45:35 2014)

2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xdf01bdf0 1196)

2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 0, 1) timer init expires(0, Thu May 15 08:55:35 2014)

2014-05-15 08:46:35.728 -0600 EBL ALLOC size(0xe26daab8 1196)

2014-05-15 08:46:35.728 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 0, 1) timer init expires(0, Thu May 15 09:05:35 2014)

2014-05-15 08:46:35.729 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 1, 1) looping

2014-05-15 08:46:35.730 -0600 EBL entry(0x9626408, 0xe26daab8, 0xe6706410 vsys1/Malware IPs, 1, 1) Build ips node(1412)

2014-05-15 08:46:35.731 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 1, 1) looping

2014-05-15 08:46:35.733 -0600 EBL entry(0x9626408, 0xdf01bdf0, 0xdeb761f0 vsys1/Emerging Threats IPs, 1, 1) Build ips node(1644)

2014-05-15 08:46:35.733 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) looping

2014-05-15 08:46:35.734 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) calling /usr/local/bin/newpanupdater.sh -s www.gljpc.com -xyes -turl -L6500000 -T5 -zhttp://www.gljpc.com/blacklist/blacklist.txt 2>/dev/null 1>/opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmpxx

2014-05-15 08:46:37.275 -0600 Error:  pan_mgmt_get_sysd_uint32(pan_cfg_status_handler.c:325): failed to fetch: cfg.alarmlastacktime

2014-05-15 08:46:52.327 -0600 Error:  pan_mgmt_get_sysd_uint32(pan_cfg_status_handler.c:325): failed to fetch: cfg.alarmlastacktime

2014-05-15 08:47:02.870 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/$//g' /opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmpxx 2>/dev/null > /opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl.tmp

2014-05-15 08:47:02.907 -0600 Error:  ebl_verify_new_fetched_copy(pan_cfg_ebl.c:720): EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) No valid entries found.

2014-05-15 08:47:02.907 -0600 Error:  ebl_update_local_file(pan_cfg_ebl.c:892): EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Unable to fetch external list.  Using old copy for refresh.

2014-05-15 08:47:02.907 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Unable to open EBL(/opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_Web#Server#Probe#IPs.ebl)

2014-05-15 08:47:02.908 -0600 EBL entry(0x9626408, 0xe2209698, 0xe6cfec20 vsys1/Web Server Probe IPs, 1, 1) Build ips node(1)

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) Refresh job cancelled

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) EBLRefresh job success

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xdebc40f8, 0xe6b949a8 vsys1/Malware IPs, 1, 0) Releasing ebl

2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xdebc40f8 1196)

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) Refresh job cancelled

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) EBLRefresh job success

2014-05-15 08:47:14.207 -0600 EBL ALLOC free timer (0xeca6af98, 1496)

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6c9b7a8, 0xe502ac28 vsys1/Emerging Threats IPs, 1, 0) Releasing ebl

2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xe6c9b7a8 1196)

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) Refresh job cancelled

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) EBLRefresh job success

2014-05-15 08:47:14.207 -0600 EBL ALLOC free timer (0xe905e838, 1496)

2014-05-15 08:47:14.207 -0600 EBL entry(0x9626408, 0xe6b88120, 0xe66f2108 vsys1/Web Server Probe IPs, 1, 0) Releasing ebl

2014-05-15 08:47:14.207 -0600 EBL ALLOC free size(0xe6b88120 1196)

Any ideas?

Erwin

L3 Networker

EBL was not working in CLI 3020 and the same is accessible using GUI

Configured Random Ip list including the actual one and committed. It started working

2014/12/24 11:49:49         135       EBLRefresh       FIN     OK 11:49:50 

2014/12/24 11:43:17         134       EBLRefresh       FIN     OK 11:43:21 

2014/12/24 11:42:53         133           Commit       FIN     OK 11:43:21 

2014/12/24 11:40:23         132       EBLRefresh       FIN  FAIL 11:41:3

2014/12/24 11:30:25         131       EBLRefresh       FIN   FAIL 11:31:33 

2014/12/24 11:24:44         130       EBLRefresh       FIN   FAIL 11:25:51

Hello,

Have you checked your service routes? Make sure you are using the right interface to fetch the server that contains the list. Also, if you are using a proxy server, make sure that your configuration is correct.

Thanks.

If you are using the management interface for this connection, you can also do a tcpdump there to see what's going on.

> tcpdump snaplen 65533 filter "xxxxxxxxxx"

  • 3800 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!