Tag Archives: Palo Alto

Real Time Block Lists with Palo Alto Firewalls

If you use a Palo Alto firewall, a new feature since PanOS 5.0 is the real time block lists. I’ve had a few people ask me how to set them up so here is the instructions.

To know what the max number of IPs that your firewall can handle in the RBL, run the following command from the CLI.

show system state | match cfg.general.max-address

This will give you the maximum number of IPs you can have in the list.

Next in the gui on your Palo Alto device, head to objects and then in the left, go to Dynamic Block Lists.


Here is the list of block lists that I’ve configured. To create a new one, click on the add button and give the list a name and a web source for the list. Decide how often you want it to update.


Finally you need to create a deny rule blocking these sites inbound.


Commit the changes and you are off to the races. I often will leave logging on for a bit to see what is being blocked, but eventually, I turn it off because I don’t really care what traffic I am dropping.

Here is a list of sites I pull in. It appears some of these might be managed by a Palo Alto engineer, but I am not certain about this.

  • DSheild Top 20 – https://panwdbl.appspot.com/lists/dshieldbl.txt
  • https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
  • SpamHaus – https://panwdbl.appspot.com/lists/shdrop.txt (Spam list)
  • Zues Tracker – https://panwdbl.appspot.com/lists/zeustrackerbadips.txt
  • Malware Domain List – https://panwdbl.appspot.com/lists/mdl.txt
  • Openblock List – http://panwdbl.appspot.com/lists/openbl.txt




Palo Alto User Identification

I am in the final phase of staging our Palo Alto 5050 in the office. We are planning to deploy this unit as both an edge and datacentre firewall.

It’s a pretty nifty device. Before even implementing it, we have been able to use it in what’s called TAP mode to look at what kind of traffic is traversing our network. It’s very surprising to see what is chewing up bandwidth. The biggest surprise for me was iCloud. I couldn’t believe the gigs of data being transferred back and forth from Apple.

One of the caveats I have found so far with setting it up is when you setup your captive portal to pick up guest users. We created both a guest account for truly guest users but also give the end user a chance to authenticate using AD credentials on the captive portal for more access.  Your authentication has to be local database first before your LDAP lookup in the AD. Otherwise it tries to authenticate in AD first, then gives up without checking the local database.