Dynamic IP List import now failed

Reply
Highlighted
L4 Transporter

Dynamic IP List import now failed

I just have the two default PA dynamic IP lists, but they each only have roughly 100 IPs.  I would think there would be more than that but when I try to hit 'import now' it just fails.  Anyone shed some light on how these two lists work and how often they are updated.  And where can I verify that they have been being updated? I have active threat protection licenses. 


Accepted Solutions
Highlighted
L5 Sessionator

Q: I can get a list of the IPs on the dynamic list by running these two commands from the cli:

 

request system external-list show type predefined-ip name panw-highrisk-ip-list

request system external-list show type predefined-ip name panw-known-ip-list

 

A: Yes, you can.  You can also click on each list within the WebUI from Objects > External Dynamic Lists > List Entries and Exceptions to view list entries.

 

Q: is there a way to get a list of the URLs/IPS being blocked by the other PA policies?

 

A: If by "other PA policies" you are referring to URLs/IPs blocked by other features such as AV DNS signatures, etc there is no single aggregated list.  Your best resource would be the Threat Vault @ https://threatvault.paloaltonetworks.com/

View solution in original post

Highlighted
L7 Applicator

The recommendation is to use EDL's in two separate rules.

One to cover connections going out to the bad IP's

One to cover connections coming from the bad IP's.

View solution in original post

Highlighted
L5 Sessionator

Assuming you will be doing this locally on your firewall (not Panorama) the steps are somewhat straightforward.  There are several community articles and videos on the subject.  Of course, you will also need to enable logging on the relevant security policy rules as well before you will have any log data to run reports against.

 

https://live.paloaltonetworks.com/t5/Tutorials/Getting-Started-Custom-Reports/ta-p/69951

https://live.paloaltonetworks.com/t5/Management-Articles/Create-a-Custom-Report/ta-p/55143

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Create-and-Schedule-a-Custom-Repo...

 

You'll want to build something similar to the example report below but you will need to play with it until you're capturing exactly what you'd like.  Please be sure to include a query to match on the relevant security policy rules.

 

Screen Shot 2018-02-09 at 10.04.21 AM.png

 

Here are the set commands from my example report:

 

set shared reports IPBL-Report type traffic sortby repeatcnt
set shared reports IPBL-Report type traffic group-by day-of-receive_time
set shared reports IPBL-Report type traffic aggregate-by [ rule from src sport srcloc to dst dport dstloc action ]
set shared reports IPBL-Report type traffic values repeatcnt
set shared reports IPBL-Report period last-24-hrs
set shared reports IPBL-Report topn 100
set shared reports IPBL-Report topm 50
set shared reports IPBL-Report caption IPBL-Report
set shared reports IPBL-Report query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')"
set shared reports IPBL-Report description "PAN Dynamic IP Lists"

 

And the XML:

 

reports {
IPBL-Report {
type {
traffic {
sortby repeatcnt;
group-by day-of-receive_time;
aggregate-by [ rule from src sport srcloc to dst dport dstloc action];
values repeatcnt;
}
}
period last-24-hrs;
topn 100;
topm 50;
caption IPBL-Report;
query "(rule eq 'example IPBL rule 1') or (rule eq 'example IPBL rule 2')";
description "PAN Dynamic IP Lists";
}
}

View solution in original post


All Replies
Highlighted
L5 Sessionator

Hello, the 'import now' failure for your pre-defined lists is an expected behavior.  These lists are not updated through a manual import now action.  The following can be found within the WebUI help pages of a PAN-OS device.

 

With an active Threat Prevention license, Palo Alto Networks® provides two Dynamic IP Lists: Palo Alto Networks - High risk IP addresses and Palo Alto Networks - Known malicious IP addresses. These feeds both contain malicious IP address entries, which you can use to block traffic from malicious hosts. The firewall receives daily updates for these feeds through antivirus content updates.

 

Please also note that you cannot edit, delete, or clone these predefined lists.

 

We carefully evaluate what IP addresses should be included on a daily basis.  Due to the sharing and recycling of IP address, it is very hard to conclude that an IP address is malicious in all aspects. So for IP Blocklists, we only release those that have been manually verified.  We believe these have achieved reasonably good coverage.

Highlighted
L4 Transporter

Thanks, so its safe to assume that the 100 or so IPs I currently have on that list is what PA currently believes to be malicious?  

Highlighted
L5 Sessionator

That is correct.  Other coverage for malicious domains/IPs/URLs is provided in the form of Antivirus DNS signatures, Wildfire DNS signatures, as well as PAN-DB URL Filtering malware, phishing, and command-and-control categories.

Highlighted
L4 Transporter

I can get a list of the IPs on the dynamic list by running these two commands from the cli:

 

request system external-list show type predefined-ip name panw-highrisk-ip-list

request system external-list show type predefined-ip name panw-known-ip-list

 

is there a way to get a list of the URLs/IPS being blocked by the other PA policies?

Highlighted
L5 Sessionator

Q: I can get a list of the IPs on the dynamic list by running these two commands from the cli:

 

request system external-list show type predefined-ip name panw-highrisk-ip-list

request system external-list show type predefined-ip name panw-known-ip-list

 

A: Yes, you can.  You can also click on each list within the WebUI from Objects > External Dynamic Lists > List Entries and Exceptions to view list entries.

 

Q: is there a way to get a list of the URLs/IPS being blocked by the other PA policies?

 

A: If by "other PA policies" you are referring to URLs/IPs blocked by other features such as AV DNS signatures, etc there is no single aggregated list.  Your best resource would be the Threat Vault @ https://threatvault.paloaltonetworks.com/

View solution in original post

Highlighted
L1 Bithead

I am looking for more information and found the following for DNS, this is good stuff.

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/t...

 

1)  The DNS list comes out daily and the IP lists come out daily - is there any overlap or is this IP list specifically only the things out there that do not have a DNS or Domain Name.

2) What are the High Risk IP Address List ? I see the note on the description is that just a IP addresses from other lists that are not in your Malicious list. I am trying to decide if it should be blocked. We will assume the Known Malicious IP Addresses are bad and block those.

 

Is there a good detailed list of links I can look at for DNS ( AV and Wildfire) as well as the IP lists?

Highlighted
L5 Sessionator

Hello, please see answers in line.

 

1)  The DNS list comes out daily and the IP lists come out daily - is there any overlap or is this IP list specifically only the things out there that do not have a DNS or Domain Name.

 

A: There should not be overlap between DNS signatures and IP lists.  DNS signatures are part of the daily Antivirus content releases.  You can review a list of new Spyware DNS C2 signatures by reviewing the release notes either from your firewall via Device > Dynamic Updates > Antirivus > release notes or via our Threat Vault @ https://threatvault.paloaltonetworks.com.  You may also access release notes from the Dynamic Updates section of https://support.paloaltonetworks.com.

 

2) What are the High Risk IP Address List ? I see the note on the description is that just a IP addresses from other lists that are not in your Malicious list. I am trying to decide if it should be blocked. We will assume the Known Malicious IP Addresses are bad and block those.

 

A: https://live.paloaltonetworks.com/t5/Featured-Articles/PAN-OS-8-0-IP-Block-List-Feeds/ta-p/129616

 

  • Palo Alto Networks - High-risk IP addresses: This list includes IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations; however Palo Alto Networks does not have direct evidence of maliciousness.

 

Is there a good detailed list of links I can look at for DNS ( AV and Wildfire) as well as the IP lists?

 

A: I recommend using content (AV and Wildfire) release notes as well as our Threat Vault as previously mentioned.  The IP lists can be viewed from your device using the commands previously discussed in this thread.

Highlighted
L4 Transporter

Can someone tell me the best way to use these feeds from PA?  Should I have a specifc outbound rule referrencing these lists as destination addresses and deny'ing all traffic outbond ?  

 

 Like so:

pa-denylist.JPG

Highlighted
L5 Sessionator

Our recommendations are detailed in the PAN-OS 8.0 new feature guide.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/content-inspection-feature...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!