I just got a new Palo Alto and I would like to load some IPs in a Dynamic Block List. I have set up a Windows IIS Webserver on an old Server 2003 box with an IP 192.168.1.33 I have the site up and working and anoymous users can connect to it by going to http://192.168.1.33/test.txt. The document test.txt and is formatted like so:
When I configure the Dynamic Block List and click "Test URL" I get URL Access Error. If I use a non-domain account or computer on the network and type the URL as above I get access to the site. Can anyone advise what I am missing to get this to work? I have tried turning off the firewall, I can connect with anoymous users, there are no error logs on the server, wireshark doesn't show any attempt or traffic from the firewall IP when I click test URL.
Thanks for any advice!
My problem was fixed by adding a service route under device, service tab and then clicking add service route. In this section I had to add info specifying that the PA use internal interface to reach my web server rather than the management IP. This was pretty easy and it worked immediately after the commit.
Thanks to everyone who responded.
I'm running 5.0.2 on a 5060 and have the same problem. The firewall is wide open to the 5060 and I'm running tcpdump on the webserver, with no sign that the 5060 has even tried to connect to port 80 and retrieve the page.
We will be upgrading to 5.0.4, so hopefully this problem goes away with the upgrade.
Do you want the management interface to access the dynamic block list
1. the dynamic block list must be referenced in a security policy
2. the management interface must have access to the web server that houses the dynamic block list
3. If you have a service route for the URL (brightcloud updates) pointing out of the Untrust or the Trust interface, the request for the dynamic block list will also go out that way as such you must then create as service route explicitly stating that to get to the web server with the block list use the management interface (you can configure this in the right hand panel of the service router configuration)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!