Setup custom threat feed in Palo Alto Networks firewalls

To implement a custom threat feed in Palo Alto Networks firewalls (using Panorama or a standalone device), you need to configure an External Dynamic List (EDL). This will allow your Palo Alto firewall to pull the list of malicious IP addresses, domains, or URLs from your custom feed and use it in security policies for blocking or monitoring.

Here's a step-by-step procedure for integrating your provided custom feed into Palo Alto Networks devices:

Step 1: Log into the Palo Alto Management Interface

1. Open a web browser and go to your Palo Alto Management IP address.

   • Example: https://<Palo_Alto_Management_IP>

2. Log in using your admin credentials.

Step 2: Configure the External Dynamic List (EDL)

1. Go to Objects in the top menu.

2. In the left pane, click on External Dynamic Lists under Security Profiles.

3. Click Add to create a new EDL.

Fill in the following details:

• Name: Give your EDL a descriptive name, such as AbuseFirewall_Bad_IPs.

• Type: Select the appropriate type for your feed:

  • For IP addresses, select IP List.

  • For URLs, select URL List.

  • For Domains, select Domain List.

• Source: Enter your feed URL, such as:

  
  

  https://www.abusefirewall.com:5000/bad-ips?api_key=4ExampleAPIKEYadsadaXZZZZZZXDsdsd

  
  

• Certificate Profile: If the feed is accessed using HTTPS, you might need to create a certificate profile if the server’s certificate isn’t trusted by default. Otherwise, leave this blank.

• Recurring Update: Set the update frequency based on how often the feed is updated. For example:

  • Every 1 Hour or Every 30 Minutes.

Optional:

• List Entries: Click List Entries to manually view and verify that the Palo Alto device can successfully pull the entries from the feed URL.

• Click OK to save the EDL.

Step 3: Create an Address Group Using the EDL

1. Go to Objects in the top menu.

2. Select Address Groups in the left pane.

3. Click Add to create a new address group.

Fill in the following details:

• Name: Provide a descriptive name, such as AbuseFirewall_Blocked_IPs.

• Type: Select Dynamic.

• Match: Enter the name of your EDL created in Step 2.

  • Example: AbuseFirewall_Bad_IPs.

• Click OK to save the Address Group.

Step 4: Create a Security Policy to Block or Monitor Traffic

1. Go to Policies in the top menu.

2. Select Security from the left pane.

3. Click Add to create a new security policy.

Fill in the following details:

• Name: Provide a descriptive name, such as Block_AbuseFirewall_Bad_IPs.

• Description: Optional, add a brief description of what the policy does.

• Source Zone: Select any or specify the relevant zones where the traffic originates.

• Source Address: Leave as any or specify if you want to narrow down the scope.

• Destination Zone: Select the destination zones relevant to your setup.

• Destination Address: Select the Address Group created in Step 3 (AbuseFirewall_Blocked_IPs).

• Application: Leave as any unless you want to narrow down by application.

• Service: Leave as any.

• Action: Select Deny to block traffic or Allow if you want to monitor only.

• Click OK to save the policy.

Step 5: Commit the Configuration

1. In the top-right corner, click Commit.

2. Review the changes and click Commit again to apply the configuration to the firewall.

Step 6: Verify the Integration and Monitor Security Logs

1. Go to Monitor in the top menu.

2. Select Logs > Traffic.

3. Filter by the security policy name (Block_AbuseFirewall_Bad_IPs) to see if traffic matching the feed is being blocked or monitored.

4. Review logs to ensure that the entries from the EDL are being applied correctly.

Optional: Automate Notifications for EDL Updates

1. Go to Objects > External Dynamic Lists.

2. Edit the EDL (AbuseFirewall_Bad_IPs) and set up Log Settings.

3. Enable logging or notifications for when the feed is updated, allowing you to track any changes or new IPs added.

Additional Considerations:

• Certificate Profile for HTTPS Feeds: If you use a custom certificate for your feed server, make sure to import the certificate into the Device > Certificate Management section and assign it to the EDL.

• Performance Impact: Large EDLs can impact performance, especially if you have thousands of entries. Regularly review the feed size and adjust policies accordingly.

• URL Filtering License: For URL or Domain-based feeds, ensure that you have a valid URL Filtering license on the device.

This setup will ensure that your Palo Alto Networks firewall can dynamically pull and enforce custom threat feeds to block or monitor unwanted traffic.