New Palo Alto User - Dynamic Block List

Showing results for 
Show  only  | Search instead for 
Did you mean: 

New Palo Alto User - Dynamic Block List

Not applicable

Hi there,

I just got a new Palo Alto and I would like to load some IPs in a Dynamic Block List.  I have set up a Windows IIS Webserver on an old Server 2003 box with an IP  I have the site up and working and anoymous users can connect to it by going to  The document test.txt and is formatted like so:

When I configure the Dynamic Block List and click "Test URL"  I get URL Access Error.  If I use a non-domain account or computer on the network and type the URL as above I get access to the site.  Can anyone advise what I am missing to get this to work?  I have tried turning off the firewall, I can connect with anoymous users, there are no error logs on the server, wireshark doesn't show any attempt or traffic from the firewall IP when I click test URL.

Thanks for any advice!


Accepted Solutions

My problem was fixed by adding a service route under device, service tab and then clicking add service route.  In this section I had to add info specifying that the PA use internal interface to reach my web server rather than the management IP.  This was pretty easy and it worked immediately after the commit.

Thanks to everyone who responded.

View solution in original post


L5 Sessionator


Usually, PA uses own MGT port as a source port.

Are you connecting MGT port to your network and is it reachable from MGT to Win2003?

My PA-200 with 5.0.4 is working fine for Dynamic Block List.



L6 Presenter

Have you checked if your management ip has access to that ip address ?

L0 Member

I'm running 5.0.2 on a 5060 and have the same problem.  The firewall is wide open to the 5060 and I'm running tcpdump on the webserver, with no sign that the 5060 has even tried to connect to port 80 and retrieve the page.

We will be upgrading to 5.0.4, so hopefully this problem goes away with the upgrade.

Do you want the management interface to access the dynamic block list

If so,

1. the dynamic block list must be referenced in a security policy

2. the management interface must have access to the web server that houses the dynamic block list

3. If you have a service route for the URL (brightcloud updates) pointing out of the Untrust or the Trust interface, the request for the dynamic block list will also go out that way as such you must then create as service route explicitly stating that to get to the web server with the block list use the management interface (you can configure this in the right hand panel of the service router configuration)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!