Paloalto Firewall

Configure Paloalto Firewall to access External Dynamic List

For the purpose of this tutorial, we are considering that your feed server is running on your local network and the feed URL is accessible as http://10.10.10.2/text15.txt

Important Note: Paloalto External Dynamic List accepts feed in .txt format only and each entry must be on new line.

Service Route Configuration (Optional)

Paloalto by default, uses Management Interface to access the feed URL. In your case, if the feed URL is accessible on a different interface of Paloalto firewall, then you can change the default service route by selecting Device > Setup > Services > Global then Click Service Route Configuration to modify the External Dynamic Lists service route.

————

IP Feed of External Dynamic List

How to configure IP Feed of External Dynamic List in Paloalto Firewall?

Select Objects > External Dynamic Lists and click Add to open External Dynamic Lists window and complete details as below.

Important Note: If you are choosing IP List, then make sure that the list only includes entries of IP addresses and not domain names or something else.

  • In order to retrieve the list immediately, without waiting for firewall to fetch on next interval
  • Select Objects > External Dynamic Lists the click on the list above (do not open, just click) and choose Import Now seen in the bottom line.

The final step is to configure above feed as destination in security policy and set action as Deny.

————

Domain Feed of External Dynamic List

How to configure Domain Feed of External Dynamic List in Paloalto Firewall?

  • Select Objects > External Dynamic Lists and click Add to open External Dynamic Lists window and complete configuration as below.

An external dynamic list of type domain allows you to import custom domain names into the firewall to enforce policy using an Anti-Spyware profile. For each domain you include in the external dynamic list, the firewall creates a custom DNS-based spyware signature so that you can enable DNS sinkholing. The DNS-based spyware signature is of type spyware with medium severity and each signature is named Custom Malicious DNS Query <domainname>.

Note that you need to configure DNS Sinkhole for this functionality to work.

————

URL Feed of External Dynamic List

How to configure URL Feed of External Dynamic List in Paloalto Firewall?

  • Select Objects > External Dynamic Lists and click Add to open External Dynamic Lists window and complete configuration as below.

Paloalto Firewall External Dynamic List URL Feed
  • Select Policies > Security Policies and click Add to Configure Security policy rules and ensure you change default action to Deny.