08-30-2023 06:42 AM - edited 08-31-2023 10:09 AM
Hi @Ismailsh ,
That is a great question! EDIT: Sorry! I thought you were asking about custom EDLs. The built-in EDLs are updated through content updates. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-pol... I don't think the NGFW logs those changes.
To check the status of custom EDLs, you can check Monitor > Logs > Systems for EDL messages. Use the filter ( description contains 'EDL' ). The logs will let you know if the refresh succeeded or failed, if there were updates or not, etc.
You can also examine the contents of the EDL itself under Objects > External Dynamic Lists > [edit list] > List Entries and Exceptions.
EDIT2: It looks like the built-in EDLs are updated with the AV updates.
> request system external-list stats type predefined-ip name panw-known-ip-list
Predefined IP list available in AV content
I checked the List Entries of "Palo Alto Networks - Known malicious IP addresses" before and after an AV update, and the number changed. I am currently getting an AV update everyday, although I do not know if the built-in EDLs change with every update.
Thanks,
Tom
