Use a Dynamic Block List in Policy
The firewall or Panorama typically enforce policy for a source or destination IP address that is defined as a static object on the firewall. If you need agility in enforcing policy for a list of source/destination IP addresses that emerge ad hoc, you can use dynamic block lists.
A dynamic block list is a text file that contains a list of IP addresses, IP ranges, or IP subnets, and is hosted on a web server. The dynamic block list can be used to deny or allow access to the IP addresses (IPv4 and IPv6) included in the list. For example, you can use it as a whitelist for allowing a set of IP addresses or as a blacklist to disallow access to the specified IP addresses. At a configured interval, the firewall dynamically imports the list and enforces policy for the IP addresses included in the list. When you modify the list, the firewall retrieves the updates; a configuration change or commit is not required on the firewall. If the web server is unreachable, the firewall or Panorama will use the last successfully retrieved list for enforcing policy until the connection is restored with the web server that hosts the list.
View the IP Address Limit For Your Firewall Model
Irrespective of the firewall model, each firewall supports a maximum of 10 Dynamic Block Lists.
To find the maximum number of addresses, address groups, and IP addresses per group, for your model of the firewall, use the following CLI command:
show system state | match cfg.general.max-address
For example:
admin@PA-7050> show system state | match cfg.general.max-address
cfg.general.max-address: 80000
cfg.general.max-address-group: 8000
cfg.general.max-address-per-group: 500
Each list can contain the maximum number of addresses supported by your firewall model minus 300. Up to 300 IP addresses are reserved for internal use on the firewall and are deducted from the available limit. Therefore, in the example above, the firewall can have a maximum of 79,700 IP addresses.
Formatting Guidelines for Dynamic Block Lists
The dynamic block list can include individual IP addresses, subnet addresses (address/mask), or range of IP addresses. In addition, the block list can include comments and special characters such as * , : , ; , #, or /. The syntax for each line in the list is [IP address, IP/Mask, or IP start range-IP end range] [space] [comment] .
Because the firewall ignores incorrectly formatted lines, use these guidelines when defining the list:
Enter each IP address/range/subnet in a new line; URLs are not supported in this list. If you add comments, the comment must be on the same line as the IP address/range/subnet. The space at the end of the IP address is the delimiter that separates a comment from the IP address.
An example:
2001:db8:123:1::1 #test IPv6 address ; test internal subnet
2001:db8:123:1::/64 test internal IPv6 range
For an IP address that is blocked, you can display a notification page only if the protocol is HTTP.
Enforce Policy with a Dynamic Block List
Enforce Policy with a Dynamic Block List
Create the dynamic block list and host it on a web server, so that the firewall can retrieve the list for policy evaluation. Create a text file and enter the IP addresses for which you want to enforce policy. For syntax, see Formatting Guidelines for Dynamic Block Lists.
Create a dynamic block list object on the firewall. Select Objects > Dynamic Block Lists. Click Add and enter a descriptive Name for the list. (Optional) Select Shared, to share the list with all virtual systems on a device that is enabled for multiple virtual systems. By default, the object is created on the virtual system that is currently selected in the Virtual Systems drop-down. Enter the Source URL (hostname or IP address and the path) for the list you just created on the web server. For example, Click Test Source URL to verify that the firewall or Panorama can connect to the web server. (Optional) Specify the Repeat frequency at which the firewall or Panorama must retrieve the list. By default the list is retrieved ever hour. Click OK to save the changes.
Use the dynamic block list as a source or destination address object in policy. Create separate dynamic block lists if you want to specify allow and deny actions for specific IP addresses. The list can be referenced in any policy type. In this example, we attach it as a destination object in security policy. Select Policies > Security. Click Add and give the rule a descriptive name in the General tab. In the Source tab, select the Source Zone. In the Destination tab, select the Destination Zone and select the dynamic block list as the Destination Address. In the Service/ URL Category tab, make sure the Service is set to application-default. In the Actions tab, set the Action Setting to Allow or Deny. Leave all the other options at the default values. Click OK to save the changes. Commit the changes.
Test that the policy action is enforced. Access a IP address that is included in the dynamic block list and verify that action you defined is enforced. Select Monitor > Logs > Traffic and see the log entry for the session. To verify the policy rule that matches a flow, use the following CLI command: test security-policy-match source <IP_address> destination <IP_address> destination port <port_number> protocol <protocol_number>
View the List of IP addresses in the Dynamic Block List
View the IP Addresses Included in the Dynamic Block List
To view the list of IP addresses that the firewall has retrieved from the web server enter the following CLI command: request system external-list show name <name> For example, for a list named case DBL_2014, the output is: vsys1/DBL_2014: Next update at: Wed Aug 27 16:00:00 2014 IPs: #test China; test internal test internal range
Retrieve a Dynamic Block List from Web Server
The firewall or Panorama can be configured to retrieve the list from the web server on an hourly, daily, weekly, or monthly basis. If you have added or deleted IP addresses on the list and need to trigger an immediate refresh, you must use the Command Line Interface.
Retrieve a Dynamic Block List
Enter the command: request system external-list refresh name <name> For example, request system external-list refresh name DBL_2014 Get the job ID for the refresh job using the CLI command: show jobs all Look for the last EBL Refresh job in the list. View the details for the job ID. Use the command show jobs id <number> A message indicating the success or failure displays. For example: admin@PA-200> show jobs id 55 Enqueued ID Type Status Result Completed -------------------------------------------------------------------------- 2014/08/26 15:34:14 55 EBLRefresh FIN OK 15:34:40 Warnings: Details:

Related Documentation