(541) 316-8003‬ info@wildolives.net

This is a cool and easy to use (security) feature from Palo Alto Networks firewalls: The External Dynamic Lists which can be used with some (free) 3rd party IP lists to block malicious incoming IP connections. In my case I am using two free IP lists to deny any connection from these sources coming into my network/DMZ. I am showing the configuration of such lists on the Palo Alto as well as some stats about it.

What is an external dynamic list? It is a list of known malicious sources maintained by some providers/persons on the Internet. These IP lists can be used to blacklist/block/deny connections from those sources.

Objects => External Dynamic Lists

View the IP Address Limit For Your Firewall Model
Irrespective of the firewall model, each firewall supports a maximum of 10 Dynamic Block Lists.  To find the maximum number of addresses, address groups, and IP addresses per group, for your model of the firewall, use the following CLI command:
show system state | match cfg.general.max-address
For example:
admin@PA-7050>  show system state | match cfg.general.max-address
cfg.general.max-address: 80000
cfg.general.max-address-group: 8000
cfg.general.max-address-per-group: 500
Each list can contain the maximum number of addresses supported by your firewall model minus 300. Up to 300 IP addresses are reserved for internal use on the firewall and are deducted from the available limit. Therefore, in the example above, the firewall can have a maximum of 79,700 IP addresses.