EDL problem

s_quasar · ‎10-27-2019

Hi,

I find this error: EDL(my list) Entry not referenced by a rule.

What does it mean? How can I resolve it?

michelealbrigo · ‎10-28-2019

Source or destination address. Think of it as an Address group.

michelealbrigo · ‎10-28-2019

In Objects > External Dynamic Lists you defined an EDL (e.g. you read a list of malicious addresses from some feed), but none of your policies is referencing it. An EDL would probably end up in the Destination Address part of some policy.
Nothing bad, anyway, your firewall is basically just reading an external list of addresses but it's not using that information anywhere.

s_quasar · ‎10-28-2019

Hi,

I have a rule with many denies IPs. Is maybe for this reason?

Have I to create a special policy for EDL?

michelealbrigo · ‎10-28-2019

No. A rule with a statically defined list of IPs is not an "external dynamic list". Your configuration is pointing to an external source of addresses, it is reading it, but it's not using it. You can either remove the list from Objects > External Dynamic lists or use it in a policy (if appropriate, of course).

s_quasar · ‎10-28-2019

How can I use it in a policy? In which part of configuration have I to enter?

michelealbrigo · ‎10-28-2019

Source or destination address. Think of it as an Address group.

s_quasar · ‎10-28-2019

I thought it was enough to insert the EDL instead we also need the security rule. Thaks a lot! Only one last question. Why in the standard Paloalto EDL do you see all the IPs in detail, while in my personalized rules I don't see IPs? In this manner I can't insert any exceptions.

michelealbrigo · ‎10-29-2019

My firewalls exhibit the same behaviour (PanOS 8.1.10), the list is valid, but the GUI shows no addresses in it. Maybe it's a bug?

s_quasar · ‎10-29-2019

Yes that's the problem I meant.

Do you know some good lists to use for blocking malicious IPs?

I found http://plonkatronix.com/plonkatronixBL.txt and this URL https://panwdbl.appspot.com/ (I'm investiganting about this).

michelealbrigo · ‎10-29-2019

Not really, I'm sorry. It's something I plan to do, but it's low on my priority list at the moment.

rmfalconer · ‎10-29-2019

Couple of things to mention.

Is that EDL 'Unassigned IPv4' actually referenced in a policy? If not, it won't show any entries.

If it is referenced, did you check the CLI? you can view entries with: request system external-list show type ip name "Unassigned IPv4"

We do use many of the lists at https://panwdbl.appspot.com/ with no issues. We also keep a custom list that we manage on a local web server.

s_quasar · ‎10-30-2019

I have set up the policy but still not presence of IPs in GUI

rmfalconer · ‎10-30-2019

Did you check the CLI output?

s_quasar · ‎10-30-2019

@michelealbrigo thanks a lot for you help.

If you have a little bit of time can you take a look at these my other problems? (especially about log forwading)
https://live.paloaltonetworks.com/t5/General-Topics/log-to-Kiwi-Syslog/m-p/293687
https://live.paloaltonetworks.com/t5/General-Topics/Decryption-policy-and-SNI/m-p/293676

You help is very appreciated

s_quasar · ‎10-30-2019

I've checked now the configuration. Now I can view all the IPs in GUI. Maybe as you say I've checked the list before apply the rule.

Thanks.

EDL problem

EDL problem

Show your appreciation!