Dynamic IP List import now failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynamic IP List import now failed

L4 Transporter

I just have the two default PA dynamic IP lists, but they each only have roughly 100 IPs.  I would think there would be more than that but when I try to hit 'import now' it just fails.  Anyone shed some light on how these two lists work and how often they are updated.  And where can I verify that they have been being updated? I have active threat protection licenses. 

3 ACCEPTED SOLUTIONS

Accepted Solutions

Q: I can get a list of the IPs on the dynamic list by running these two commands from the cli:

 

request system external-list show type predefined-ip name panw-highrisk-ip-list

request system external-list show type predefined-ip name panw-known-ip-list

 

A: Yes, you can.  You can also click on each list within the WebUI from Objects > External Dynamic Lists > List Entries and Exceptions to view list entries.

 

Q: is there a way to get a list of the URLs/IPS being blocked by the other PA policies?

 

A: If by "other PA policies" you are referring to URLs/IPs blocked by other features such as AV DNS signatures, etc there is no single aggregated list.  Your best resource would be the Threat Vault @ https://threatvault.paloaltonetworks.com/

View solution in original post

The recommendation is to use EDL's in two separate rules.

One to cover connections going out to the bad IP's

One to cover connections coming from the bad IP's.

View solution in original post

Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward.  There are several community articles and videos on the subject.  Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.

 

https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951

https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-and-Schedule-a-Custom-Repo...

 

You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like.  Please be sure to include a query to match on the relevant security policy rules.

 

Screen Shot 2018-02-09 at 10.04.21 AM.png

 

Here are the set commands from my example report:

 

set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"

 

And the XML:

 

reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}

View solution in original post

15 REPLIES 15

L5 Sessionator

Hello, the 'import now' failure for your pre-defined lists is an expected behavior.  These lists are not updated through a manual import now action.  The following can be found within the WebUI help pages of a PAN-OS device.

 

With an active Threat Prevention license, Palo Alto Networks® provides two Dynamic IP Lists: Palo Alto Networks - High risk IP addresses and Palo Alto Networks - Known malicious IP addresses. These feeds both contain malicious IP address entries, which you can use to block traffic from malicious hosts. The firewall receives daily updates for these feeds through antivirus content updates.

 

Please also note that you cannot edit, delete, or clone these predefined lists.

 

We carefully evaluate what IP addresses should be included on a daily basis.  Due to the sharing and recycling of IP address, it is very hard to conclude that an IP address is malicious in all aspects. So for IP Blocklists, we only release those that have been manually verified.  We believe these have achieved reasonably good coverage.

Thanks, so its safe to assume that the 100 or so IPs I currently have on that list is what PA currently believes to be malicious?  

That is correct.  Other coverage for malicious domains/IPs/URLs is provided in the form of Antivirus DNS signatures, Wildfire DNS signatures, as well as PAN-DB URL Filtering malware, phishing, and command-and-control categories.

I can get a list of the IPs on the dynamic list by running these two commands from the cli:

 

request system external-list show type predefined-ip name panw-highrisk-ip-list

request system external-list show type predefined-ip name panw-known-ip-list

 

is there a way to get a list of the URLs/IPS being blocked by the other PA policies?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!