- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-30-2023 06:32 AM
Hi,
We are using predefined EDL Palo Alto Networks - Known malicious IP address in deny rules .
I would like to know how we can check if this EDL is updated and when was the last time it was updated successfully etc.
Thanks.
08-30-2023 06:42 AM - edited 08-31-2023 10:09 AM
Hi @Ismailsh ,
That is a great question! EDIT: Sorry! I thought you were asking about custom EDLs. The built-in EDLs are updated through content updates. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol... I don't think the NGFW logs those changes.
To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages. Use the filter ( description contains 'EDL' ). The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.
You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.
EDIT2: It looks like the built-in EDLs are updated with the AV updates.
> request system external-list stats type predefined-ip name panw-known-ip-list
Predefined IP list available in AV content
I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed. I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.
Thanks,
Tom
08-30-2023 06:42 AM - edited 08-31-2023 10:09 AM
Hi @Ismailsh ,
That is a great question! EDIT: Sorry! I thought you were asking about custom EDLs. The built-in EDLs are updated through content updates. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol... I don't think the NGFW logs those changes.
To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages. Use the filter ( description contains 'EDL' ). The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.
You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.
EDIT2: It looks like the built-in EDLs are updated with the AV updates.
> request system external-list stats type predefined-ip name panw-known-ip-list
Predefined IP list available in AV content
I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed. I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!