About Palo Alto EDL
Palo Alto Networks, Inc. has pioneered the next generation of network security with an innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is the next-generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimized hardware and software architecture.
Palo Alto EDL (External Dynamic List) is a platform instance through which malicious objects (IP addresses, URLs, domains) can be blocked. This instance is a text file hosted on an external web server and can be imported into the Palo Alto Firewall.
SIRP’s integration with the Palo Alto Firewall allows security teams to execute response actions right from SIRP.
SIRP’s Palo Alto integration app allows you to execute the following actions:
Block an IP Address on Palo Alto firewall
Unblock an IP Address on Palo Alto firewall
Block a domain on Palo Alto firewall
Unblock a domain on Palo Alto firewall
Block a URL on Palo Alto firewall
Unblock a URL on Palo Alto firewall
Block hash on Palo Alto firewall
Unblock hash on Palo Alto Firewall
Block Wildcard Domain
Block domain and subdomain on Palo Alto
Unblock Wildcard Domain
Unblock domain and subdomain on Palo Alto
Block Wildcard URL
Block URLs and subdirectories on Palo Alto
Unblock Wildcard URL
Unblock URLs and subdirectories on Palo Alto
Enable the Palo Alto EDL App in SIRP
First, log in to SIRP, then go to Apps from the left navigation bar.
Locate the app named Palo Alto Firewall.
Enable the Palo Alto app by clicking on the toggle button under the Status
Once enabled SIRP will host EDL files and return the URLs in the Action output.
Execute all the supported actions one by one:
Each action will give a unique URL for you to configure in the Palo Alto Firewall. For example:
You should be able to access and verify these files by pasting the URLs in your browser. The text file for the URL list will look something like this:
The text file for the IP list will look something like this:
The text file for the domain list will look something like this:
Configure Palo Alto External Dynamic Lists
Open your Palo Alto instance. Select Objects > External Dynamic Lists.
Create a New list and enter a descriptive Name for the list.
Select the list Type (IP addresses, URLs, domains).
Enter the Source for the list copied in the first step.
Click Test Source URL to verify that the source URL is accessible by the web server.
Click OK to create your list.
For the URL list, the instance will look like
For the IP list, the instance will look like
For the domain list, the instance will look like
To enable and populate the list of entries in the External Dynamic List (EDL), it is essential to apply the following settings. Without applying these settings, the feeds for URL, domain, and IP will not be populated in the EDL list.
STEP 1» Enable DNS sink-holing for the custom list of domains in an external dynamic list.
Select Objects>Security Profiles >Anti-Spyware.
Modify an existing profile, or select one of the existing default profiles and clone it.
the profile and select the DNS Policies tab.
Select an EDL from the External Dynamic Lists signature source.
Configure the external dynamic list from the Anti-Spyware profile (see Configure the Firewall to Access an External Dynamic List). The Type is preset to Domain List.
(Optional) In the Packet Capture drop-down, select single-packet to capture the first packet of the session or extended capture to set between 1-50 packets. You can then use the packet captures for further analysis.
Verify the sinkhole settings on the Anti-Spyware profile.
On the DNS Policies tab, verify that the Policy Action on DNS queries is sink-hole.
In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the default Sinkhole IP address is set to access a Palo Alto Networks server. Palo Alto Networks can automatically refresh this IP address through content updates.
If you want to modify the Sinkhole IPv4 or Sinkhole IPv6 address to a local server on your network or to a loopback address, see Configure the Sinkhole IP Address to a Local Server on Your Network.
8. Attach the Anti-Spyware profile to a Security policy rule.
Select PoliciesSecurity and select a security policy rule.
On the Actions tab, select the Log at Session Start check box to enable logging.
In the Profile Setting section, click the Profile Type drop-down to view all Profiles. From the Anti-Spyware drop-down select the new profile.
Click OK to save the policy rule.
STEP 2» Use the external dynamic list in a URL Filtering profile.
Select Objects > Security Profiles > URL Filtering
Add or modify an existing URL Filtering profile.
Name the profile and, in the Categories tab, select the external dynamic list from the Category list.
Click Action to select a more granular action for the URLS in the external dynamic list.
Attach the URL Filtering profile for a Security policy rule.
1 Select Policies > Security
2. Select the Actions fab and, in the Profile Setting section, select the new profile in the URL Filtering drop-down.
3. Click OK and Commit.
Use an External Dynamic List of Type URL as Match Criteria in a Security Policy Rule.
Click Add and enter a descriptive Name for the rule.
In the Source tab, select the Source Zone.
In the Destination tab, select the Destination Zone.
In the Service/URL Category tab, click Add to select the appropriate external dynamic list from the URL Category list.
In the Actions tab, set the Action Setting to Allow or Deny.
Click OK and Commit.