About Palo Alto EDL

Palo Alto Networks, Inc. has pioneered the next generation of network security with an innovative platform that allows you to secure your network and safely enable an increasingly complex and rapidly growing number of applications. At the core of this platform is the next generation firewall, which delivers visibility and control over applications, users, and content within the firewall using a highly optimised hardware and software architecture.

Palo Alto EDL (External Dynamic List) is a platform instance through which malicious objects (IP addresses, URLs, domains) can be blocked. This instance is a text file hosted on an external web server and can be imported into the Palo Alto Firewall.

SIRP’s integration with Palo Alto Firewall allows security teams to execute response actions right from SIRP.

Supported Actions

SIRP’s Palo Alto integration app allows you to execute the following actions:

S.no

Action

Description

1

Block IP

Block an IP Address on Palo Alto firewall

2

Unblock

Unblock an IP Address on Palo Alto firewall

3

Block Domain

Block a domain on Palo Alto firewall

4

Unblock Domain

Unblock a domain on Palo Alto firewall

5

Block URL

Block a URL on Palo Alto firewall

6

Unblock URL

Unblock a URL on Palo Alto firewall

Enable the Palo Alto EDL App in SIRP

  • First, log in to SIRP, then go to Apps from the left navigation bar.

  • Locate the app named Palo Alto Firewall.

  • Enable the Palo Alto app by clicking on the toggle button under the Status

  • Once enabled SIRP will host EDL files and return the URLs in the Action output.

  • Execute all the supported actions one by one:

    • block_ip

    • block_domain

    • block_url

    • block_hash

  • Each action will give a unique URL for you to configure in the Palo Alto Firewall. For example:

    • https://<sirp-ip>/Palo-Alto/2/url_list.txt

    • https://<sirp-ip>/Palo-Alto/2/ip_list.txt

    • https://<sirp-ip>/Palo-Alto/2/domain_list.txt

    • https://<sirp-ip>/Palo-Alto/2/hash_list.txt

  • You should be able to access and verify these files by pasting the URLs in your browser. The text file for the URL list will look something like this:

  • The text file for the IP list will look something like this:

  • The text file for the domain list will look something like this:

Configure Palo Alto External Dynamic Lists

  • Open your Palo Alto instance. Select Objects > External Dynamic Lists.

  • Create a New list and enter a descriptive Name for the list.

  • Select the list Type (IP addresses, URLs, domains).

  • Enter the Source for the list copied in the first step.

  • Click Test Source URL to verify that source URL is accessible by the web server.

  • Click OK to create your list.

For the URL list, the instance will look like

For the IP list, the instance will look like

For the domain list, the instance will look like

Did this answer your question?