External Dynamic List is not showing while creating a policy.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

External Dynamic List is not showing while creating a policy.

I am trying to create an external dynamic list to block incoming traffic from some IPs. I have created an EDL list listening to a server on LAN to fetch the IPs. However when I am trying to create a policy the EDL option is not showing under the drop down menu. Is there any thing I am missing?

Thanks in advance!

 

Screenshots are attached for reference.

 

1.png

2.png

3.png

   

5 REPLIES 5

Cyber Elite
Cyber Elite

Hi @N.inMedicalSciences ,

 

Could you type in the first few letters of the EDL name to show that their are no matches in the drop down list?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Clicking Test Source URL button gives URL access error.

 

image.png

 

However, the link is accessible when checking on browser:

image2.png

 

this means the management interface does not have access to the URL, you may be blocking it on the firewall or on an access list on the server?

Verify your traffic logs to see if it is maybe hitting a drop rule (make sure you account for the implied drop rule, it may be getting discarded without log)

 

the EDL will not show up in the policy until it is populated with _something_ (else you would be building an invalid policy) so you need to create the EDL and have the firewall fetch the entries before using it in a rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Using the command show interface management, got Management IP address as 172.16.39.9. Then logged in as admin and was able to ping the server hosting EDL, which is running on 172.16.36.8.

ping.png

 

Checked the traffic logs but saw no deny for 172.16.39.9.

 

Appreciate the help getting by the community.

Cyber Elite
Cyber Elite

Hi @N.inMedicalSciences ,

 

Your 1st issue was the EDL did not show up in the drop down.  I saw that you had a lot of entries.  The NGFW will only show a limited number of items in the drop down.  I asked you to start typing in the name of the EDL so it would show up.  I got no response from you.  The EDL will show up in the drop down after you create it.  The EDL does not need to be populated before it will show up in a policy.  I have configured it many times.  There are some caveats on Panorama, but you are not using Panorama.  In fact, the NGFW will NOT automatically retrieve the EDL until it is used in a policy.  https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/external-d... ("The list might be empty if:").

 

Your 2nd issue is your URL access error.  Unless you have a bug, the issue is that the management interface cannot open the URL as @reaper said.  I am curious why you blacked out the URL from your browser image.  It may be just habit.  It should be 172.16.36.8, just like you said and is, in fact, clearly shown in your 1st image.  The browser URL and EDL URL need to match exactly as a good test.

 

There is a known bug with 9.1 when using client authenticationhttps://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MUqCAM&lang=en_US

 

You are not using client authentication.  (I also saw the bug listed for 10.1.5, which was weird.)

 

Here is a good document to troubleshoot further.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Vx5CAE&lang=en_US%E2%80%A...

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 360 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!