This post follows on from my article detailing the setup of Palo Alto Minemeld on Ubuntu 18.04. We will now configure the External Dynamic List feature of a Palo Alto Firewall to consume your Minemeld feed. The steps here pertain to a PA, however other vendors firewalls offer the same feature but the principal is the same. Minemeld uses standard https for access to your feeds.
1. Setup the certificate profile and chain. Device > Certificate Management > Certificate Profile. Create a new certificate profile and add the chain certificates from your Minemeld server:
2. It’s now time to configure your EDL. Objects > External Dynamic Lists > Add >
– Name the list.
– Type set URL List.
– Set the source URL to the https link from your minemeld feed.
– If you enabled authentication on your feed, tick the client authentication box and fill in the credentials
– Check for updates, this is configurable, set to hourly.
Note that the PA will not download the list unless it is a security policy. The config also needs to be commited.
3. Add your EDL list to a security policy. I have a URL filtering policy so I am going to block the list as a category like so:
Objects > URL Filtering > Click on your URL filter > Under External Dynamic URL Lists:
Set the list to Block (Site Access) and Block (User Credential Submission).
4. Commit the changes. Alternatively you can create a security policy that references your EDL:
Policies > Security > Add > Under Service / URL Category you can set the EDL per the screenshot:
Set the Policy action to Deny.
All done! You are now automatically blocking malicious threats with a curated dynamic list. You are now free to go and grab a coffee, enjoy!