Palo Alto External Dynamic IP Lists

This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP connections. In my case I am using two free IP lists to deny any connection from these sources coming into my network/DMZ. I am showing the configuration of such lists on the Palo Alto as well as some stats about it.

Lists

What is an external dynamic list? It is a list of known malicious sources maintained by some providers/persons on the Internet. These IP lists can be used to blacklist/block/deny connections from those sources. A good overview of such lists is “Blocklists of Suspected Malicious IPs and URLs” from Lenny Zeltser. I am currently using the following two well-known lists:

• OpenBL.org project: http://www.openbl.org/
• All Cybercrime IP Feeds by FireHOL: http://iplists.firehol.org/

While the first one is simply a list of “malicious” IPv4 addresses, the second one is a combination of other source that also include fullbogons and other entries. FireHOL shows many graphs and stats about the distribution from their listed IP addresses. Follow the link above and have a look!

What about IPv6? Well, it seems that only legacy IP is widely supported. Bad. While FireHOL does not list any statement about that, the OpenBL FAQ says: “We are fully IPv6 enabled but the lists and the reporting currently only handle IPv4 since most of our hosts do not have a IPv6 address and also because there basically are no attacks against IPv6 targets worth mentioning, at least not yet.” I am not happy with this statement at all, but I also know that it is not easy to maintain IPv6 lists due to the large address space. (Should an IPv6 blacklist block a /128, /64 or even a /48 in case of abuse?) At least the Spamhaus Project has an IPv6 list, called DROPv6.

Some further notes:

1. You should always check the quality of the list before using it. To my mind the two mentioned lists are quite “good”, however, note that they could be abused, too. Do some research about the trustworthiness before using it in your policies.
2. Both lists are only IP address lists, that is, they are useful for blocking incoming connections. For outgoing (user initiated) connections you can use URL lists rather than IP lists. Lenny mentioned a few of them in his blog post. And the Palo Alto firewall is also able to use domain and even URL lists for security policies, etc.

Usage within Palo Alto

I am currently using a PA-200 with PAN-OS 7.1.7. The blacklists are configured under Objects -> External Dynamic Lists. They are from type “IP List”. Those dynamic objects can then be used within a security policy. In my case I have added two deny policies at the very beginning of my whole ruleset. Immediately after committing the traffic log shows denied connection from various IPv4 addresses:

Some Stats

At first I was interested whether the whole blacklists are used correctly by the firewall. There are some CLI commands to see/refresh the lists such as:

weberjoh@pa> request system external-list ?
> refresh    refresh external-lists
> show       Print IPs/Domains/URLs in an external list
> url-test   test accessibility for url

I captured this screenshot from the FireHOL page that shows 17.299 entries on January 30th, 2017. In fact, exactly the same valid entries were listed in the Palo Alto dynamic list at the same time, as the following listing shows. (Note that there are not only /32 host IPv4 addresses but also bigger [bigly?] networks such as /20):

weberjoh@pa> request system external-list show type ip name dyn_firehol

vsys1/dyn_firehol:
        Next update at        : Mon Jan 30 21:00:21 2017
        Source                : https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
        Referenced            : Yes
        Valid                 : Yes

        Total valid entries   : 17299
        Total invalid entries : 34
        Valid ips:
                0.0.0.0/8
                1.10.16.0/20
                1.32.128.0/18
                1.93.0.224
                1.116.0.0/14
                1.178.179.217
                1.179.170.7
[...]

Of course it looks quite the same with IPv6, here with the Spamhaus DROPv6 list:

weberjoh@pa> request system external-list show type ip name dyn_Spamhaus-DROPv6


vsys1/dyn_Spamhaus-DROPv6:
        Next update at        : Wed Feb 15 05:13:38 2017
        Source                : https://www.spamhaus.org/drop/dropv6.txt
        Referenced            : Yes
        Valid                 : Yes

        Total valid entries   : 19
        Total invalid entries : 4
        Valid ips:
                2a07:5807::/32
                2a06:2a00::/29
                2a06:e480::/29
                2a06:4740::/29
                2a06:df80::/29
                2402:6680::/32
                2a0a:c00::/29
                2a06:f680::/29
                2404:e180::/32
                2a07:5780::/29
                2a06:d240::/29
                2a00:dfe0::/29
                2a07:5786::/32
                2607:f2d0::/32
                2803:5380:ffff::/48

Now here is a custom report that shows all denied connections during the last calendar week, sorted by count (top 5), grouped by port. Many well-known ports such as SSH, telnet, SMTP, HTTP, NTP, SNMP, etc. are scanned from different IPv4 addresses all over the world:

I really like this feature, at least for my lab where not everything is business critical. To my mind blocking some “false positives” is still better than allowing some malicious connections (false negative).

More Links

• Palo Alto: External Dynamic List
• Palo Alto: Formatting Guidelines for an External Dynamic List
• Palo Alto: Enforce Policy on Entries in an External Dynamic List
• Palo Alto: View the List of Entries in an External Dynamic List
• Palo Alto: Retrieve an External Dynamic List from the Web Server

Featured image: “Lists” by Steven Lilley is licensed under CC BY-SA 2.0.