Questions about EDL

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Questions about EDL

L2 Linker

Hello,

I have a firewall rule on the Internet Firewall list this

 

Source: Palo Alto Networks - High risk IP addresses - Palo Alto Networks - Known malicious IP addresses

Destination Any

Service Any

Action: drop

 

So if an ip inside the two EDL try to reach a Public Customer Service will be drop right?

How is this list updated? There is a package like the Threat that I have to download with the PA scheduler?

 

I found an ip that is flagged  as malicious by AbuseIPDB with the 28% of confidence.

I check the same ip on the Internet firewall:

 

request system external-list global-find string x.x.x.x

the answer was IP not present in the list.

 

So It's means that Palo Alto didn't consider this ip malicious?

 

 

 

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @Charlie80 

It does not necessary mean that paloalto consider it as benign, but maybe it is simply not confident enough to add it as the goal also is to have as few as possible false positives. 28% confidence on abjseIP is also not that high. In addition you will always find other sources with additional IP/URLs that are not blocked by paloalto as this company also does not know everything. Sometimes it makes sense to create such drop policies with more than just one list.

 

@kiwi isn't it updated with the antivirus updates as only this one is updated daily?

View solution in original post

5 REPLIES 5

Community Team Member

Hi @Charlie80 

 

Yes, an IP within the EDL should be dropped by your policy.

With an active Threat Prevention license, Palo Alto Networks provides multiple built-in dynamic IP lists that you can use to block malicious hosts. The list is updated daily.  The download is part of the Threats dynamic update schedule.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thanks,

Have you any idea regarding the last question?

 

I found an ip that is flagged  as malicious by AbuseIPDB with the 28% of confidence.

I check the same ip on the Internet firewall:

 

request system external-list global-find string x.x.x.x

the answer was IP not present in the list.

 

So It's means that Palo Alto didn't consider this ip malicious?



L7 Applicator

Hi @Charlie80 

It does not necessary mean that paloalto consider it as benign, but maybe it is simply not confident enough to add it as the goal also is to have as few as possible false positives. 28% confidence on abjseIP is also not that high. In addition you will always find other sources with additional IP/URLs that are not blocked by paloalto as this company also does not know everything. Sometimes it makes sense to create such drop policies with more than just one list.

 

@kiwi isn't it updated with the antivirus updates as only this one is updated daily?

L0 Member

Hello Team,

We are not able to add Predefine EDL list into the security Policy. Please help on it.

Community Team Member

Hi @ltinetwork ,

 

What seems to be the problem ? 

 

With an active Threat Prevention license, Palo Alto Networks provides built-in IP address EDLs that you can use to protect against malicious hosts.  You should be able to select them as a source or destination address object in a Security Policy Rule as shown below.

 

kiwi_0-1709306974471.png

 

What seems to be the problem exactly ?

You don't see them ? Is your threat license active ?

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 accepted solution
  • 2496 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!