This question has come up a few times in my recent travels and it seemed like something to post for our readers, hope you find it useful, comments welcome! OverviewThis will walk you through the steps of subscribing to our top 20 block list on a Palo Alto Networks firewall. It will also show you how to make a rule using the external block list. You can create a rule to block both inbound and outbound, however in this instruction it will include only an outbound rule. Any traffic transiting outbound from an internal host to this list on the top 20 should be considered suspect, prevented, and then investigated. Our DShield Top 20 List can always be found here: http://feeds.dshield.org/block.txt The source for the parsed and Palo Alto Networks formatted version of the DShield block list can be found here: http://panwdbl.appspot.com/lists/dshieldbl.txt The full source of external block lists: It is my understanding that this ‘unofficial’ source is maintained by a Palo Alto Networks systems engineer, although this is not confirmed. Creating the External Block List Subscription 2. Click Add B. Copy the preformatted subscription from our unofficial formatting app http://panwdbl.appspot.com/lists/dshieldbl.txt and paste into source block. C. Click Test Source URL Creating the Outbound RuleOverviewThere are several ways to use an EBL. One of the most common is to block/restrict on inbound flows, and although this should be done we will be using a different method for this example. In the creating the outbound rule section we will block and alert on outbound traffic from our L3-Trust to L3-Untrust (basically from our trusted internal zone to our untrusted external zone, your naming convention may differ). This will serve as a possible indicator of compromise (IoC). On the topic of of IoC, let’s be clear that this can only serve as a possible indicator of compromise. Miliage may vary depending on your EBL. The DShield EBL (the EBL selected for this lab) list is hosted by the Internet Storm Center that has been maintained for over a decade. Any communication to those hosts should be consider suspect, however not a clear case for declaration of compromise. Regardless, it should be best current practice (BCP) to at least alert on this traffic outbound. Traffic from these hosts and netblocks inbound are largely considered noise. Any questions regarding the DShield Recommended Block list please direct them to handlers@isc.sans.edu. For a history behind the DShield top 20 check out https://isc.sans.edu/about.html. WARNING!!!!!!!!! Step 2.d. critical! If you miss step 2.d. you will shadow all your other rules and stop all traffic outbound in your environment, please pay CLOSE attention to step 2.d, YOU HAVE BEEN WARNED!!!!. Do not miss this step. Also for troubleshooting reasons if all your traffic stops after this walk-though, you can disable the rule and troubleshoot your External Block List. 1. Goto Policies -> Security E. Under the actions tab change allow to deny. Optionally you can set logging to an external syslog here as well.
G. Highlight the new rule, click move, which can be found at the bottom of the GUI, and select top. We are moving this rule to the top as we want to catch all attempts to reach the EBL outbound before any other rule is triggered. Screencast of the Above
|
Richard 168 Posts ISC Handler Feb 23rd 2015 |
Thread locked Subscribe |
Feb 23rd 2015 6 years ago |
I think it would be best to serve the list over TLS, I've checked and both links are accessible over HTTPS. Is there any reason why you do not use https://panwdbl.appspot.com/lists/dshieldbl.txt and https://feeds.dshield.org/block.txt in the walkthrough?
Regards Martin |
Anonymous |
Quote |
Feb 24th 2015 6 years ago |
The list should be retrieved over an encrypted SSL/TLS connection, not http, as it could be modified in-flight.
|
Anonymous |
Quote |
Feb 24th 2015 6 years ago |
Nice BL wrapup on that page (https of course), the only trouble is how do we follow announcements, updates and news about that page?
The same techniques can be used to populate a blocklist with with Team Cymru's fullbogon list: https://www.team-cymru.org/bogon-reference-http.html |
Anonymous |
Quote |
Feb 25th 2015 6 years ago |
SSL/TLS isn't enough to prevent MITM attacks. DNSSEC and DANE should be added.
|
Anonymous |
Quote |
Feb 25th 2015 6 years ago |
I´m trying to use the lists from "http://panwdbl.appspot.com/" in a PA-500 with Software version 6.0.8
It´s seems that It´s not working. I´m checking the EBL from CLI: admin@PA-500(active)> request system external-list url-test https://panwdbl.appspot.com/lists/shdrop.txt URL is accessible admin@PA-500(active)> request system external-list refresh name <myblocklistname> EBL refresh job enqueued admin@PA-500(active)> request system external-list show name <myblocklistname> Server error : external list file not found It´s seems that I can´t download the full content of the .txt list. Any idea? Thanks in advance Regards |
Alex 1 Posts |
Quote |
Apr 14th 2015 5 years ago |
Hi there!
I encountered the same issue and it turns out that you need to first configure a security rule referencing the Dynamic Block List object. For your reference: https://live.paloaltonetworks.com/docs/DOC-4724 Cheers! Snippet from the URL above: The following errors (from their respective commands) may be seen on the CLI: > request system external-list show name <object name> Server error : external list file not found. or > show jobs id <value> (where <value> is a EBL refresh job) may return the error: Warnings: EBL(vsys1/test) Unable to fetch external list. Using old copy for refresh. The above errors suggest that the issue may be with the web server that hosts the IP address list. However, in many cases the list was successfully retrieved ('Source URL is accessible' when testing in the GUI), but the Palo Alto Networks device was not able to read it. Verify that the source address is pointing to a '.txt' file on a HTTP/HTTPS url. For example: https://www.myserver.com/blocklist.txt If using a HTTPS location, please make sure it is on PAN-OS 5.0.10 or above. If running a lower version, the 'Test URL' option in the GUI may return an error, although it is working properly. Note: In order to see the list on the firewall, the DBL needs to be used in a policy. The error may also appear if the security rule is not configured with a dynamic block list or if the target vsys is not set in multi-vsys system. |
Alex 1 Posts |
Quote |
May 7th 2015 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!