External Dynamic Lists not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

External Dynamic Lists not working

L2 Linker

Hi all,

 

I have configured EDL of type Dynamic URL Lists with the next configuration

 

EDL.png

 

Then in URL filtering profile the ransomwaretracker_URL category is configured as BLOCK and the Profile is applied in the Security rule.

 

It seems configured correctly, I can list the EDL in CLI, but if I try to go to listed URL, it does not blocked.

 

PAN is working with 7.1.2 version.

 

 

Thanks,

Jordi

 

 

 

 

 

 

 

 

 

16 REPLIES 16

L4 Transporter

Hi Jordi,

 

Can you remove the 'https://' and try that? The documentation says not to use this prefix.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/formatting-guidelines-for-an-...

 

Can you also check your traffic logs and security policies and see if the allowed traffic is hitting a rule above or below the rule you have configured?

 

Try this command to see if your EDL has populated ok:

 

request system external-list show type url (EDL name)

 

You can add your list to a URL filtering profile and add that profile to the policy:

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/url-filtering/use-an-external-dynami...

 

hope this helps,

 

Ben

Cyber Elite
Cyber Elite

Does it work as expected if you build a Deny rule with your EBL as the source address? This list is also 4992 entries which may be pushing the number of address objects you can push in one EBL. If you have anything less than a 3050, 3060, or a 5020 and up then you aren't going to be able to use this list. 

L6 Presenter

It is a bit away from the original post/question but I recall a discussion here about the limit of entries :

 

On each Palo Alto Networks firewall platform, you can configure a maximum of 30 unique sources for external dynamic lists. A source is a URL that includes the IP address or hostname, the path, and the filename for the external dynamic list. The firewall matches the URL (complete string) to determine whether a source is unique.
 
Although the firewall does not impose a limit on the number of lists for a specific type of list, the following limits are enforced:
 
  • IP address—The PA-5000 Series and the PA-7000 Series firewalls support a maximum of 150,000 total IP addresses; all other platforms support a maximum of 50,000 total IP addresses. No limits are enforced for the number of IP addresses per list.
  • URLs and domain names—a maximum of 50,000 URLs and 50,000 domains are supported on each platform, with no limits enforced on the number of entries per list.

More info here:

 

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Dynamic-Block-List-Limited-Number-of-Ent...

@TranceforLife I believe those limits only cover 7.1. I've always gone off of what's listed here https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-... unless people actually point out that they are running 7.1.* since most people seem to be ignoring it for now. 

the user is running 7.1.2 PAN-OS

ahh my bad. 

l have just tested trying using http, getting redirected to https. If it is listed on firewall through the cli that is fine, should work. Also could run test button to see if you are connected successfully. Should just work. Please follow link posted by BPry:

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-...

 

Hi all,

 

Thanks for your opinions. The device is a PAN 3020 and I think that the list are supported, the number of entries is ok.

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Videos/PAN-OS-7-1-URL-Filtering-Dynamic-Block-List-E...

 

I have tried to configure the list without https but continues without block the URLs listed in file.

The test source URL is correct, the list can be oppened.

 

The traffic do match in rule with the profile applied.

 

 

 

 

 

 

 

@COMIP I just tried to run that list on my own 3020 and while the link tests okay it wasn't able to actually pull anything from the list; I would assume because of the formatting. Can you run the command request system external-list show name (name) with the correct name of your list and see if there is actually anything within the list? You could also do a refresh instead of a show and monitor the specific job of the DBL refresh and see if it actually completes. 

@COMIP Do you know if your URL Filtering is working at all? 

Yes, URL Filtering is working.

@COMIP If URL is working and you have the rules setup for both incoming and outgoing traffic then I think the next step would be a TAC case. I would question how your rules are setup however, as you are going to need both one incoming and one outgoing if you are trying to test it by going to those websites. 

Yes the profiles are applied in both directions.

 

Thanks for your answers, I'm going to open a case.

 

 

 

  • 15046 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!