External Dynamic List

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

External Dynamic List

L1 Bithead

Hi,

 

We are planning to use URL type EDL (external dynamic list) in a security policy rule / URL filtering profile.

 

Does PA translate the URL in the external dynamic list to IP address? using FQDN refresh (like if we created an FQDN object in the firewall) 

 

How does it work exactly? any inputs would be appreciated.

 

Thanks

1 accepted solution

Accepted Solutions

L4 Transporter

@L1_ENG 

The fqdn address objects are very different to the EDL. Even though you input a fqdn, from policy perspective it is still IP address object, even though the IP can change based on the preidic fqdn resolution.

EDL are just text files, which can be of URL, domain or IP address type. The IP EDL can be used as policy address match, similar to any other address object and group. However the URL type EDL can only be used in URL filtering profiles or in the URL Category match section of the security policies. URLs in the list are not resolved, because a EDL can have thousands of entries and it could introduce large processing overhead.

You can potentially use some external servers to resolve list of URL and convert it to an IP address list, which can be presented to the firewall.  

View solution in original post

3 REPLIES 3

L4 Transporter

@L1_ENG 

The fqdn address objects are very different to the EDL. Even though you input a fqdn, from policy perspective it is still IP address object, even though the IP can change based on the preidic fqdn resolution.

EDL are just text files, which can be of URL, domain or IP address type. The IP EDL can be used as policy address match, similar to any other address object and group. However the URL type EDL can only be used in URL filtering profiles or in the URL Category match section of the security policies. URLs in the list are not resolved, because a EDL can have thousands of entries and it could introduce large processing overhead.

You can potentially use some external servers to resolve list of URL and convert it to an IP address list, which can be presented to the firewall.  

@BatD 

Thank you for your explanation.

 

Do you have any experience/input in blocking well known malicious domain/URL on Palo?

which options should we use? FQDN object/URL filtering or DNS sinkhole to block inbound and outbound traffic

 

Thanks!

 

Ideally you should use all methods, as they complement each other. The fqdn address objects are probably not suitable in this case, because you will have to creat too many, however you can have EDL feeds of known bad URL, in addition to using the Palo Alt URL filteing categories. DNS Synchole should be applied to user traffic, however it is not designed to block malicous URL, but rather than to detect users which are already infected.

  • 1 accepted solution
  • 6731 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!