Subscribing to the DShield Top 20 on a Palo Alto Networks Firewall
This question has come up a few times in my recent travels and it seemed like something to post for our readers, hope you find it useful, comments welcome!
Overview
This will walk you through the steps of subscribing to our top 20 block list on a Palo Alto Networks firewall. It will also show you how to make a rule using the external block list. You can create a rule to block both inbound and outbound, however in this instruction it will include only an outbound rule. Any traffic transiting outbound from an internal host to this list on the top 20 should be considered suspect, prevented, and then investigated.
Our DShield Top 20 List can always be found here:
http://feeds.dshield.org/block.txt
The source for the parsed and Palo Alto Networks formatted version of the DShield block list can be found here:
http://panwdbl.appspot.com/lists/dshieldbl.txt
The full source of external block lists:
It is my understanding that this ‘unofficial’ source is maintained by a Palo Alto Networks systems engineer, although this is not confirmed.
Creating the External Block List Subscription
1. Goto Objects -> Dynamic Block Lists
2. Click Add
A. Name the External Block List Subscription (e.g. DShield Recommended Block List.)
B. Copy the preformatted subscription from our unofficial formatting app http://panwdbl.appspot.com/lists/dshieldbl.txt and paste into source block.
C. Click Test Source URL
You have just subscribed to an External Block List (EBL). Once an hour this subscription will poll the external block source and automatically update the subscription. This does not actually apply the feed to any rules or polices, in the next section we will create an outbound blocking rule looking for Indicators of Compromise.
Creating the Outbound Rule
Overview
There are several ways to use an EBL. One of the most common is to block/restrict on inbound flows, and although this should be done we will be using a different method for this example. In the creating the outbound rule section we will block and alert on outbound traffic from our L3-Trust to L3-Untrust (basically from our trusted internal zone to our untrusted external zone, your naming convention may differ). This will serve as a possible indicator of compromise (IoC).
On the topic of of IoC, let’s be clear that this can only serve as a possible indicator of compromise. Miliage may vary depending on your EBL. The DShield EBL (the EBL selected for this lab) list is hosted by the Internet Storm Center that has been maintained for over a decade. Any communication to those hosts should be consider suspect, however not a clear case for declaration of compromise. Regardless, it should be best current practice (BCP) to at least alert on this traffic outbound. Traffic from these hosts and netblocks inbound are largely considered noise. Any questions regarding the DShield Recommended Block list please direct them to handlers@isc.sans.edu. For a history behind the DShield top 20 check out https://isc.sans.edu/about.html.
WARNING!!!!!!!!!
Step 2.d. critical! If you miss step 2.d. you will shadow all your other rules and stop all traffic outbound in your environment, please pay CLOSE attention to step 2.d, YOU HAVE BEEN WARNED!!!!. Do not miss this step. Also for troubleshooting reasons if all your traffic stops after this walk-though, you can disable the rule and troubleshoot your External Block List.
1. Goto Policies -> Security
2. Click Add
A. Give the Rule a Name (e.g. EBL DShield Rule)
B. Under the source tab select L3-Trust or your trusted internal zone name (remember this is an IoC rule, not just a normal block noise rule).
C. Under the destination tab select L3-Untrust or your untrusted external zone.
D. Under the destination tab in the destination address select the DShield EBL subscription. (DO NOT MISS THIS STEP!)
E. Under the actions tab change allow to deny. Optionally you can set logging to an external syslog here as well.
F. Click okay.
G. Highlight the new rule, click move, which can be found at the bottom of the GUI, and select top. We are moving this rule to the top as we want to catch all attempts to reach the EBL outbound before any other rule is triggered.
H. Commit
NOTE: if you receive warning as indicated in the screenshot check your internet connection as it indicates that the EBL was not reachable. Also, some EBL have maximum polling counts and only allow refresh every so often (e.g. 1 hour). This could have been triggered when you tested the URL connection. These are two reasons why your EBL may not be reachable.
It is also possible to check the EBL on the CLI:
> request system external-list refresh name
Screencast of the Above
Comments
Regards
Martin
Anonymous
Feb 24th 2015
9 years ago
Anonymous
Feb 24th 2015
9 years ago
The same techniques can be used to populate a blocklist with with Team Cymru's fullbogon list:
https://www.team-cymru.org/bogon-reference-http.html
Anonymous
Feb 25th 2015
9 years ago
Anonymous
Feb 25th 2015
9 years ago
It´s seems that It´s not working. I´m checking the EBL from CLI:
admin@PA-500(active)> request system external-list url-test https://panwdbl.appspot.com/lists/shdrop.txt
URL is accessible
admin@PA-500(active)> request system external-list refresh name <myblocklistname>
EBL refresh job enqueued
admin@PA-500(active)> request system external-list show name <myblocklistname>
Server error : external list file not found
It´s seems that I can´t download the full content of the .txt list.
Any idea?
Thanks in advance
Regards
Anonymous
Apr 14th 2015
9 years ago
I encountered the same issue and it turns out that you need to first configure a security rule referencing the Dynamic Block List object.
For your reference: https://live.paloaltonetworks.com/docs/DOC-4724
Cheers!
Snippet from the URL above:
The following errors (from their respective commands) may be seen on the CLI:
> request system external-list show name <object name>
Server error : external list file not found.
or
> show jobs id <value> (where <value> is a EBL refresh job) may return the error:
Warnings:
EBL(vsys1/test) Unable to fetch external list. Using old copy for refresh.
The above errors suggest that the issue may be with the web server that hosts the IP address list. However, in many cases the list was successfully retrieved ('Source URL is accessible' when testing in the GUI), but the Palo Alto Networks device was not able to read it. Verify that the source address is pointing to a '.txt' file on a HTTP/HTTPS url.
For example: https://www.myserver.com/blocklist.txt
If using a HTTPS location, please make sure it is on PAN-OS 5.0.10 or above. If running a lower version, the 'Test URL' option in the GUI may return an error, although it is working properly.
Note: In order to see the list on the firewall, the DBL needs to be used in a policy.
The error may also appear if the security rule is not configured with a dynamic block list or if the target vsys is not set in multi-vsys system.
Anonymous
May 7th 2015
9 years ago
Link to external links:
https://github.com/jtschichold/panwdbl-actions
Link to Palo Alto Networks formatted version of the DShield block list:
https://raw.githubusercontent.com/jtschichold/panwdbl-actions/dshield/dshieldbl.txt
Anonymous
Jun 3rd 2021
3 years ago