02-02-2018 07:04 AM
I just have the two default PA dynamic IP lists, but they each only have roughly 100 IPs. I would think there would be more than that but when I try to hit 'import now' it just fails. Anyone shed some light on how these two lists work and how often they are updated. And where can I verify that they have been being updated? I have active threat protection licenses.
02-02-2018 09:25 AM
Q: I can get a list of the IPs on the dynamic list by running these two commands from the cli:
request system external-list show type predefined-ip name panw-highrisk-ip-list
request system external-list show type predefined-ip name panw-known-ip-list
A: Yes, you can. You can also click on each list within the WebUI from Objects > External Dynamic Lists > List Entries and Exceptions to view list entries.
Q: is there a way to get a list of the URLs/IPS being blocked by the other PA policies?
A: If by "other PA policies" you are referring to URLs/IPs blocked by other features such as AV DNS signatures, etc there is no single aggregated list. Your best resource would be the Threat Vault @ https://threatvault.paloaltonetworks.com/
02-07-2018 02:06 PM
The recommendation is to use EDL's in two separate rules.
One to cover connections going out to the bad IP's
One to cover connections coming from the bad IP's.
02-09-2018 08:16 AM
Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward. There are several community articles and videos on the subject. Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.
https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951
https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143
You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like. Please be sure to include a query to match on the relevant security policy rules.
Here are the set commands from my example report:
set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"
And the XML:
reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}
02-02-2018 08:41 AM
Hello, the 'import now' failure for your pre-defined lists is an expected behavior. These lists are not updated through a manual import now action. The following can be found within the WebUI help pages of a PAN-OS device.
With an active Threat Prevention license, Palo Alto Networks® provides two Dynamic IP Lists: Palo Alto Networks - High risk IP addresses and Palo Alto Networks - Known malicious IP addresses. These feeds both contain malicious IP address entries, which you can use to block traffic from malicious hosts. The firewall receives daily updates for these feeds through antivirus content updates.
Please also note that you cannot edit, delete, or clone these predefined lists.
We carefully evaluate what IP addresses should be included on a daily basis. Due to the sharing and recycling of IP address, it is very hard to conclude that an IP address is malicious in all aspects. So for IP Blocklists, we only release those that have been manually verified. We believe these have achieved reasonably good coverage.
02-02-2018 08:43 AM
Thanks, so its safe to assume that the 100 or so IPs I currently have on that list is what PA currently believes to be malicious?
02-02-2018 08:49 AM
That is correct. Other coverage for malicious domains/IPs/URLs is provided in the form of Antivirus DNS signatures, Wildfire DNS signatures, as well as PAN-DB URL Filtering malware, phishing, and command-and-control categories.
02-02-2018 09:09 AM
I can get a list of the IPs on the dynamic list by running these two commands from the cli:
request system external-list show type predefined-ip name panw-highrisk-ip-list
request system external-list show type predefined-ip name panw-known-ip-list
is there a way to get a list of the URLs/IPS being blocked by the other PA policies?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!