The recommendation is to use EDL's in two separate rules.
One to cover connections going out to the bad IP's
One to cover connections coming from the bad IP's.
Ok, so I add another rule and will end up with 2 rules:
1. trust to untrust w/those 2 lists as destination
2. untrust to trust w/those 2 lists as source
Next question, can someone help me create report to referrence these two policies? I just want to know if its getting hits and if so from where, how many, time, etc..
Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward. There are several community articles and videos on the subject. Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.
https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951
https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143
You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like. Please be sure to include a query to match on the relevant security policy rules.
Here are the set commands from my example report:
set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"
And the XML:
reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}
Thanks.
So I created the report locally on an HA pair that has the two rules configured and ran it for the past 24 hours but got 'No matching records.' So to test I sent some traffic to one of the IPs on the list and ran the report again and it worked:
Day Received Rule Source Zone Source address Source Host Name Source Port Source Country Destination Zone Destination address Destination Host Name Destination Country Destination Port Action Wed, Mar 14, 2018 outbound-PA-dynamic-BLOCK trust 10.102.20.55 ******* 0 10.0.0.0-10.255.255.255 untrust 183.81.171.242 183.81.171.242 Mongolia 0 deny
Thanks a ton bvandivier! One last question, where can I grab the XML of those reports so I can load into another PA?
"Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations"
Is there a list of these high-trust organizations available?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!