I'm working through a best practices assessment and one of the recommendations is to create security policies to deny traffic inbound or outbound to the two default external dynamic lists: 'Palo Alto Networks - Known malicious IP addresses' and 'Palo Alto Networks - High risk IP addresses'. My concern, though, is that we have multiple sites connected via VPN, as well as numerous business critical connections. I would like to be able to put an exception in for these in advance, if possible, to make sure that if one of those critical IPs somehow gets added to the list we don't lose a connection to a remote site, or or drop a vendor connection. Unfortunately, it doesn't appear that there's any option to add manual entries, or override the EDL. The next option that comes to mind, then, would be to put this deny rule after all the other allow rules, which somewhat defeats the point of a 'deny evil IPs' rule. Any thoughts, or suggestions?
... View more