Palo Alto External Dynamic IP Lists

This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP connections. In my case I am using two free IP lists to deny any connection from these sources coming into my network/DMZ. I am showing the configuration of such lists on the Palo Alto as well as some stats about it.

Lists

What is an external dynamic list? It is a list of known malicious sources maintained by some providers/persons on the Internet. These IP lists can be used to blacklist/block/deny connections from those sources. A good overview of such lists is “Blocklists of Suspected Malicious IPs and URLs” from Lenny Zeltser. I am currently using the following two well-known lists:

While the first one is simply a list of “malicious” IPv4 addresses, the second one is a combination of other source that also include fullbogons and other entries. FireHOL shows many graphs and stats about the distribution from their listed IP addresses. Follow the link above and have a look!

What about IPv6? Well, it seems that only legacy IP is widely supported. Bad. While FireHOL does not list any statement about that, the OpenBL FAQ says: “We are fully IPv6 enabled but the lists and the reporting currently only handle IPv4 since most of our hosts do not have a IPv6 address and also because there basically are no attacks against IPv6 targets worth mentioning, at least not yet.” I am not happy with this statement at all, but I also know that it is not easy to maintain IPv6 lists due to the large address space. (Should an IPv6 blacklist block a /128, /64 or even a /48 in case of abuse?) At least the Spamhaus Project has an IPv6 list, called DROPv6.

Some further notes:

  1. You should always check the quality of the list before using it. To my mind the two mentioned lists are quite “good”, however, note that they could be abused, too. Do some research about the trustworthiness before using it in your policies.
  2. Both lists are only IP address lists, that is, they are useful for blocking incoming connections. For outgoing (user initiated) connections you can use URL lists rather than IP lists. Lenny mentioned a few of them in his blog post. And the Palo Alto firewall is also able to use domain and even URL lists for security policies, etc.

Usage within Palo Alto

I am currently using a PA-200 with PAN-OS 7.1.7. The blacklists are configured under Objects -> External Dynamic Lists. They are from type “IP List”. Those dynamic objects can then be used within a security policy. In my case I have added two deny policies at the very beginning of my whole ruleset. Immediately after committing the traffic log shows denied connection from various IPv4 addresses:

Some Stats

At first I was interested whether the whole blacklists are used correctly by the firewall. There are some CLI commands to see/refresh the lists such as:

 

I captured this screenshot from the FireHOL page that shows 17.299 entries on January 30th, 2017. In fact, exactly the same valid entries were listed in the Palo Alto dynamic list at the same time, as the following listing shows. (Note that there are not only /32 host IPv4 addresses but also bigger [bigly?] networks such as /20):

Of course it looks quite the same with IPv6, here with the Spamhaus DROPv6 list:

 

Now here is a custom report that shows all denied connections during the last calendar week, sorted by count (top 5), grouped by port. Many well-known ports such as SSH, telnet, SMTP, HTTP, NTP, SNMP, etc. are scanned from different IPv4 addresses all over the world:

I really like this feature, at least for my lab where not everything is business critical. To my mind blocking some “false positives” is still better than allowing some malicious connections (false negative).

More Links

Featured image: “Lists” by Steven Lilley is licensed under CC BY-SA 2.0.

One thought on “Palo Alto External Dynamic IP Lists

  1. I use mainly this EDLs:
    – Team Cymru’s BOGON (catching mostly ping and bittorrent traffic from malconfigured 100.64.0.0/10)
    – Spamhaus DROP (lots of abusive traffic, port scans)
    – Spamhaus EDROP (minimal traffic)
    – DSHIELD top 20 (10x traffic from DROP list, scans, shodan.io, “scan the internet” university projects)
    – Team Cymru’s FULLBOGON (not a lot of traffic)

Leave a Reply

Your email address will not be published. Required fields are marked *