EDL - How to find out if its updated automatically

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

EDL - How to find out if its updated automatically

L1 Bithead

Hi,

 

We are using predefined EDL Palo Alto Networks - Known malicious IP address in deny rules .

 

I would like to know how we can check if this EDL is updated and when was the last time it was updated successfully etc.

 

Thanks.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @Ismailsh ,

 

That is a great question!  EDIT:  Sorry!  I thought you were asking about custom EDLs.  The built-in EDLs are updated through content updates.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol...  I don't think the NGFW logs those changes.

 

To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages.  Use the filter ( description contains 'EDL' ).  The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.

 

You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.

 

EDIT2:  It looks like the built-in EDLs are updated with the AV updates.

 

> request system external-list stats type predefined-ip name panw-known-ip-list

Predefined IP list available in AV content

 

I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed.  I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @Ismailsh ,

 

That is a great question!  EDIT:  Sorry!  I thought you were asking about custom EDLs.  The built-in EDLs are updated through content updates.  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol...  I don't think the NGFW logs those changes.

 

To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages.  Use the filter ( description contains 'EDL' ).  The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.

 

You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.

 

EDIT2:  It looks like the built-in EDLs are updated with the AV updates.

 

> request system external-list stats type predefined-ip name panw-known-ip-list

Predefined IP list available in AV content

 

I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed.  I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 3225 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!