| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:configuration:edl [2022/09/07 18:05] – bstafford | paloaltonetworks:configuration:edl [2025/05/22 10:11] (current) – bstafford |
|---|
| ====== External Dynamic Lists ====== | ====== External Dynamic Lists ====== |
| Palo have a public list for Microsoft Azure and Microsoft 365 [[https://docs.paloaltonetworks.com/resources/edl-hosting-service.html|here]]. | Palo have a public list for Microsoft Azure and Microsoft 365 [[https://docs.paloaltonetworks.com/resources/edl-hosting-service.html|here]]. |
| | |
| | There are other SaaS products to manage EDL |
| | * [[https://edlmanager.com/|EDL Manager]] |
| | * [[https://ipengine.io/|ipEngine]] |
| |
| Also, when downloading a dynamic list over SSL (HTTPS), you will need to use a certificate profile that includes the root certificate. However, some certificates are signed by two chains. Your web browser may only show one chain. You can use https://www.ssllabs.com/ssltest to show a list of both chains (assuming it is a public facing site). The ssllabs page will allow you to download the chain files. | Also, when downloading a dynamic list over SSL (HTTPS), you will need to use a certificate profile that includes the root certificate. However, some certificates are signed by two chains. Your web browser may only show one chain. You can use https://www.ssllabs.com/ssltest to show a list of both chains (assuming it is a public facing site). The ssllabs page will allow you to download the chain files. |
| | ===== Limitations ===== |
| | PA-440 on PAN-OS 11.1.2-h3 - EDL Limits for downloading Infoblox Feed data to "Domain" list. |
| | * Enable "Automatically expand to include subdomains" - 967,785 items |
| | * Disable "Automatically expand to include subdomains" - 641,382 items |
| |
| =====Cron Tab===== | =====Cron Tab===== |
| |
| <code>*/10 * * * * user curl -L https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt | grep -Eo '([0-9]{1,3}.){3}[0-9]{1,3}' | grep -v '0.0.0.0' | grep -v 'your ip or first three Octets of /24' | grep -v '/127(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?){3}$)|(10(?:.(25[0-5]|2[0-4][0-9]|> [01]?[0-9][0-9]?)){3}$)|(192.168(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)|(172.(?:1[6-9]|2\d|3[0-1])(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)' > /var/tmp/feodo_tracker_botnet_c2_ip_blocklist.txt && mv /var/tmp/feodo_tracker_botnet_c2_ip_blocklist.txt /var/www/html/block_lists/feodo_tracker_botnet_c2_ip_blocklist.txt</code> | <code>*/10 * * * * user curl -L https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt | grep -Eo '([0-9]{1,3}.){3}[0-9]{1,3}' | grep -v '0.0.0.0' | grep -v 'your ip or first three Octets of /24' | grep -v '/127(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?){3}$)|(10(?:.(25[0-5]|2[0-4][0-9]|> [01]?[0-9][0-9]?)){3}$)|(192.168(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)|(172.(?:1[6-9]|2\d|3[0-1])(?:.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}$)' > /var/tmp/feodo_tracker_botnet_c2_ip_blocklist.txt && mv /var/tmp/feodo_tracker_botnet_c2_ip_blocklist.txt /var/www/html/block_lists/feodo_tracker_botnet_c2_ip_blocklist.txt</code> |
| For lists with cidrs you would change line -Eo '([0-9]{1,3}.){3}[0-9]{1,3}' to -Eo '([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{2}' | |
| | For lists with cidrs you would change line <code>-Eo '([0-9]{1,3}.){3}[0-9]{1,3}'</code> to <code>-Eo '([0-9]{1,3}.){3}[0-9]{1,3}/[0-9]{2}'</code> |
| |
| This also has some checks to look for your public ip space, remove rf 1918 space and null entry 0.0.0.0. | This also has some checks to look for your public ip space, remove rf 1918 space and null entry 0.0.0.0. |
