07-02-2019 02:59 AM - edited 07-02-2019 03:01 AM
Hello,
I am checking the content of two predefined dynamic IP lists for high risky IP addresses and known malicious IP addresses and they are too small, just 613 addresses in total.
There is a document https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-new-features/content-inspection-features/palo-al...
and there we can find that at the time of writing there were 2969 IP addresses only in high risky list.
So the question, if it can be some problem with feed updates on our appliances or it is the actual size of these lists.
Regards,
Vladimir
07-02-2019 12:17 PM
Hello,
If you want to have other EBL's check these out:
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
However remember that IP's change frequently and a proper security poster also takes DNS and URL filtering into consideration.
Regards,
07-02-2019 03:15 AM - edited 07-02-2019 03:15 AM
@vladimir.stepanov There is nothing wrong with your appliance, they are around 600 now. The list is updated regularly with the anti-virus updates and the numbers can change when new IPs are added or removed.
07-02-2019 03:27 AM
But why it is like this, was there any announce or answer from paloalto? It is clear that 600 Ip addresses are nothing, also, before they had 10 times bigger list. So what, have paloalto failed with this feature and cannot support it anymore?
07-02-2019 03:31 AM - edited 07-02-2019 03:32 AM
@vladimir.stepanov You should not rely too much on the pre-defined lists. They have never been a comprehensive security feed, but just a small addition to all the other firewall security features and profiles.
07-02-2019 03:54 AM
yes, I understand that I cannot rely on them since paloalto doesn't maintain it. But the question is what to use instead to block traffic from well-known malicious IP addresses. Ok, I mean well-known to other companies, not to paloalto, since their feeds are empty 🙂
07-02-2019 12:17 PM
Hello,
If you want to have other EBL's check these out:
Source on PAN support:
https://live.paloaltonetworks.com/message/54183#54183
Sans notes on this:
Others listed on this site:
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
http://malc0de.com/bl/IP_Blacklist.txt
http://panwdbl.appspot.com/lists/openbl.txt
However remember that IP's change frequently and a proper security poster also takes DNS and URL filtering into consideration.
Regards,
07-17-2019 06:11 AM
@vladimir.stepanov: If you need more customized feeds, you can buy a subscription for Autofocus and generate a dynamic feed for your invididual needs. Blocking too many targets is dangerous - you have to keep in mind, that these lists are valid for all global PAN customers.
10-01-2020 04:00 AM - edited 10-08-2020 03:21 AM
@Chacko42 wrote: MyAARPMedicare@vladimir.stepanov: If you need more customized feeds, you can buy a subscription for Autofocus and generate a dynamic feed for your invididual needs. Blocking too many targets is dangerous - you have to keep in mind, that these lists are valid for all global PAN customers.
I understand that I cannot rely on them since paloalto doesn't maintain it. But the question is what to use instead to block traffic from well-known malicious IP addresses.
10-08-2020 11:54 PM
You can also setup a minemeld server and import preexisting feeds from other malware intelligence.
e.g. urlhaus, spamhouse and so on got public feeds for known spammers and so on.
There is a own area in the live-community for all minemeld related topics
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
