External list not populating

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

External list not populating

L4 Transporter

I have a simple ask to pull a list of IPs from an external txt file into a PAN.   I can reach the URL and its simply a text file with CIDRs separated by lines.  However, when looking at the list entries and exceptions its blank.   I seem to have the same problem with a domain list as well.  Has anyone done this before and can point me in the right direction? 

 

The formatting is like below: 

drewdown_0-1621012597299.png

 

8 REPLIES 8

Cyber Elite
Cyber Elite

@drewdown,

PAN actually publishes documentation on how you should be formatting EDLs so that the firewall can read it properly. I'd also recommend looking into MineMeld. 

Formatting Guidelines for an External Dynamic List (paloaltonetworks.com)

L4 Transporter

Hi @drewdown ,

 

Make sure you are using this EDL in the policy, else PA will not fetch the EDL. If it present in the policy already , checking the ms.log might help.

I use minemeld already for o365 and the like but its a pain to setup.  

That is one thing I didn't have, a policy referencing the EDL so I will set one up and see if it works. 

Ok so now I can't seem to reference the external domain list in an policy.  It doesn't show up as a destination or source.  Anyone know why? 

@drewdown,

That usually points towards one of two issues:

1. The EDL isn't actually configured correctly and you aren't using the proper type so it's not showing where you expect it to.

2. The GUI is bugged out and it's just not filling the autocomplete. This can usually be resolved by clearing the cache, and potentially restarting management. You can also try just manually specifying the entry in the XML or CLI and see if the configuration validates properly. Sometimes that's all you need to do to kinda "force" it.

I figured it out by trial and error. 

 

So an EDL for DOMAINS can only be attached to an anti-spyware profile and after you do that it will populate the list of domains on the EDL itself.  Until you do that it will complain about it not being referenced by a policy but you don't reference in a policy per se, its attached to anti-spyware profile on a policy.

 

PAN documentation is so convoluted that it took me a couple days to figure out the difference between an EDL for IPs for DOMAINS and how to implement them correctly. 

 

drewdown_0-1621432318040.png

 

drewdown_1-1621433257902.png

 

 

L1 Bithead

I was having the same issue with an EDL for an IP List.  I was not seeing the EDL's "List Entries and Exceptions" populated, it was just showing 0.0.0.0/32 even though the "Test Source URL" was testing successfully.

 

So i created a new test a new test policy, added my IP EDL to it, and moved it to the bottom of my policy list in Panorama...

Once i did that and pushed that out to the firewalls, then the EDL's "List Entries and Exceptions" populated with the listing i was expecting.

Success!

 

 

A couple of suggestions for improvements, PAN folks....

 

First, It would be helpful if the documentation actually explicitly called out that the EDL will not populate its "List Entries and Exceptions" until it has been referenced in a policy. I do not see that mentioned in the documentation i was reading.  And in fact, this document is misleading (incorrect?) since it states "Before you Enforce Policy on an External Dynamic List, you can view the contents of an external dynamic list directly on the firewall to check if it contains certain IP addresses, domains, or URLs".

 

Secondly, I feel like that is a bad process/requirement to have the EDL used in a policy first before it populates, since I was hesitant to add the EDL to a policy until i could actually see and verify that the listing was correct first. 

Just my 2 cents...

peace,
dannyB
  • 8698 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!