- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-14-2021 10:16 AM - edited 05-14-2021 10:17 AM
I have a simple ask to pull a list of IPs from an external txt file into a PAN. I can reach the URL and its simply a text file with CIDRs separated by lines. However, when looking at the list entries and exceptions its blank. I seem to have the same problem with a domain list as well. Has anyone done this before and can point me in the right direction?
The formatting is like below:
05-14-2021 01:20 PM - last edited on 05-14-2021 02:26 PM by jdelio
PAN actually publishes documentation on how you should be formatting EDLs so that the firewall can read it properly. I'd also recommend looking into MineMeld.
Formatting Guidelines for an External Dynamic List (paloaltonetworks.com)
05-16-2021 03:48 AM
Hi @drewdown ,
Make sure you are using this EDL in the policy, else PA will not fetch the EDL. If it present in the policy already , checking the ms.log might help.
05-17-2021 05:45 AM
I use minemeld already for o365 and the like but its a pain to setup.
05-17-2021 05:45 AM
That is one thing I didn't have, a policy referencing the EDL so I will set one up and see if it works.
05-18-2021 08:39 AM
Ok so now I can't seem to reference the external domain list in an policy. It doesn't show up as a destination or source. Anyone know why?
05-18-2021 06:51 PM
That usually points towards one of two issues:
1. The EDL isn't actually configured correctly and you aren't using the proper type so it's not showing where you expect it to.
2. The GUI is bugged out and it's just not filling the autocomplete. This can usually be resolved by clearing the cache, and potentially restarting management. You can also try just manually specifying the entry in the XML or CLI and see if the configuration validates properly. Sometimes that's all you need to do to kinda "force" it.
05-19-2021 06:53 AM - edited 05-19-2021 07:07 AM
I figured it out by trial and error.
So an EDL for DOMAINS can only be attached to an anti-spyware profile and after you do that it will populate the list of domains on the EDL itself. Until you do that it will complain about it not being referenced by a policy but you don't reference in a policy per se, its attached to anti-spyware profile on a policy.
PAN documentation is so convoluted that it took me a couple days to figure out the difference between an EDL for IPs for DOMAINS and how to implement them correctly.
06-14-2023 02:11 PM
I was having the same issue with an EDL for an IP List. I was not seeing the EDL's "List Entries and Exceptions" populated, it was just showing 0.0.0.0/32 even though the "Test Source URL" was testing successfully.
So i created a new test a new test policy, added my IP EDL to it, and moved it to the bottom of my policy list in Panorama...
Once i did that and pushed that out to the firewalls, then the EDL's "List Entries and Exceptions" populated with the listing i was expecting.
Success!
A couple of suggestions for improvements, PAN folks....
First, It would be helpful if the documentation actually explicitly called out that the EDL will not populate its "List Entries and Exceptions" until it has been referenced in a policy. I do not see that mentioned in the documentation i was reading. And in fact, this document is misleading (incorrect?) since it states "Before you Enforce Policy on an External Dynamic List, you can view the contents of an external dynamic list directly on the firewall to check if it contains certain IP addresses, domains, or URLs".
Secondly, I feel like that is a bad process/requirement to have the EDL used in a policy first before it populates, since I was hesitant to add the EDL to a policy until i could actually see and verify that the listing was correct first.
Just my 2 cents...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!