We have few use cases around dynamically block list (dynamic update for us) however we would like to use it to identify and "allow" apps rather than "block". Considering it is just a group with objects which are dynamically populated based on url, i think it will work. We would like to provide ssh-proxy exception based on the dbl. Strangly even afer exception policy, the firewall was decrypting the traffic. There was no policy above this policy to match destination. I moved to the policy on the top and it started working. Now I added one more external block list group in the same policy, and the firewall started decrypting traffic. Any suggestions
Maybe it's just me, but I'm a little confused by the question. Security Policies and Decryption Policies are two separate entities, so one should not be directly affecting the other.
Would probably help by reviewing your Decryption Policies to begin with.
The way that you have this listed is kind of confusing; potentially just sharing out a screenshot of what your talking about may help. The EBL is essentially just a list of objects that gets pulled from elsewhere, so it could be used in security and decyrption policies however depending on what you are doing you wouldn't want to same EBL being used in both places.
I'm not positive what you are having an issue with reading through your question twice. If you need to move a policy to get it to work, basically that's saying that regardless of what you thought there was a policy intercepting that traffic and processing it before it hit your new rule. Remember to monitor your log files and verify which rule the traffic is actually hitting.
Thank you all for the responses and sorry for the confusion. The name says "block list" however my use case was to use it just like a group in security and/or decryption policies. The issue is mainly with the decryption policies as even with "no-decrypt" policy, the traffic is getting decrypted. At the same time, the firewall can poll the ip addresses fine external web server to populate dynamic block list (to rule out objects in the group). Further troubleshooting revealed that the normal "no-crypt" policy is not working however if I negate the same group in "decrypt" policy, it works fine. I have a case open with support as well.
I noticed when I created an external IP list and applied it as a Source for a NAT rule it was showing up as a "Block List" in the list there. After looking through some documentation on older PANOS versions I've come to the conclusion that "Block List" is just an old name for External Dynamic Lists and there are probably still some spots where it shows up as such in current versions. Despite how it was labeled, I was able to use the list as a list of Source IPs to match against for a NAT rule just fine.
I imagine they changed the name for that very reason... you can use them for more than just blocking things in security policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!