- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-30-2019 04:18 AM
Hi,
We are planning to use URL type EDL (external dynamic list) in a security policy rule / URL filtering profile.
Does PA translate the URL in the external dynamic list to IP address? using FQDN refresh (like if we created an FQDN object in the firewall)
How does it work exactly? any inputs would be appreciated.
Thanks
08-30-2019 06:38 AM
The fqdn address objects are very different to the EDL. Even though you input a fqdn, from policy perspective it is still IP address object, even though the IP can change based on the preidic fqdn resolution.
EDL are just text files, which can be of URL, domain or IP address type. The IP EDL can be used as policy address match, similar to any other address object and group. However the URL type EDL can only be used in URL filtering profiles or in the URL Category match section of the security policies. URLs in the list are not resolved, because a EDL can have thousands of entries and it could introduce large processing overhead.
You can potentially use some external servers to resolve list of URL and convert it to an IP address list, which can be presented to the firewall.
08-30-2019 06:38 AM
The fqdn address objects are very different to the EDL. Even though you input a fqdn, from policy perspective it is still IP address object, even though the IP can change based on the preidic fqdn resolution.
EDL are just text files, which can be of URL, domain or IP address type. The IP EDL can be used as policy address match, similar to any other address object and group. However the URL type EDL can only be used in URL filtering profiles or in the URL Category match section of the security policies. URLs in the list are not resolved, because a EDL can have thousands of entries and it could introduce large processing overhead.
You can potentially use some external servers to resolve list of URL and convert it to an IP address list, which can be presented to the firewall.
08-30-2019 07:02 AM
Thank you for your explanation.
Do you have any experience/input in blocking well known malicious domain/URL on Palo?
which options should we use? FQDN object/URL filtering or DNS sinkhole to block inbound and outbound traffic
Thanks!
08-30-2019 08:16 AM
Ideally you should use all methods, as they complement each other. The fqdn address objects are probably not suitable in this case, because you will have to creat too many, however you can have EDL feeds of known bad URL, in addition to using the Palo Alt URL filteing categories. DNS Synchole should be applied to user traffic, however it is not designed to block malicous URL, but rather than to detect users which are already infected.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!