Palo Alto Networks devices are supported in a different fashion to all other devices we support. Rather than using our patented DNS mechanism to update policies and target lists we we use the built in Palo Alto feature called Dynamic Block List.
- ThreatSTOP has only performed limited testing of Palo Alto Networks devices.
- As noted in the PA Administrators Guide for release 6.0 there is a limit of 4700 entries to a single Dynamic Block List (page 237). We provide up to 8 block list URLS and one allow list URL.
- If this is a new device and new policy, please wait about 15 minutes before attempting to apply the policy to the PAN device
This page only describes creating simple ThreatSTOP policies one for inbound and one for outbound traffic, but more complex uses are possible.
You must have PAN-OS 6.1 or greater running on the Palo Alto Networks device.
You should have set up your basic connectivity etc. to the device from a management station.
You should confirm that the management's web client can connect to the firewall and log in to it. Using that login session you should confirm that the PAN device can also access/download urls from the Internet. In particular you should check that your device can:
It is recommended that you save the configuration prior to applying the ThreatSTOP changes.
Introduction – Adding a Device. The single-device setup for PANOS has one extra field added to it Lines in Block. The methodology for PANOS logging setup allows the users to submit up to eight (8) log blocks as established in Setup – Device steps 3-4. The widest range of PANOS devices support 36,000 addresses (split into chunks of 4,500 apiece). However, some devices are able to support more than this 36,000 address limit, while others are not able to support this amount. Due to this variation we've allowed an adjustment to the number of address objects per dynamic block list. To figure out the number of lines to allow in each dynamic block list for your device take the maximum number of addresses supported by your device, divided by 8, and subtract about 300 lines per block (to give a little buffer room for internal addressing). Enter the result in Lines in Block and click Next.While the portal setup is still largely as described in
- Lines in Block: The maximum number of addresses supported by your device (m), minus 300 lines of buffer, and divided by 8.
- Connect to the PAN device using a web browser, login and select Objects and then Dynamic Block Lists and then add a new list.
- You should call the list ThreatSTOP-block1 and add the source URL as follows: https://www.threatstop.com/lists/<block list name>.<ThreatSTOP account ID>.threatstop.local
Click on the Test Source URL button and confirm that the device is able to download the blocklists without errors. If successful set the Repeat pull down to Hourly and set the time to, 08, then press OK. Now repeat the process to create additional block lists replacing the 001 in the URL with 002 to 008 and similarly replacing the ThreatSTOP-block1 with ThreatSTOP-block2 to ThreatSTOP-block8 in the name. Having done that you should create the ThreatSTOP allow list in the same way. You should call the list ThreatSTOP-allow and add the source URL as follows: https://www.threatstop.com/lists/
Now go to Policies, and add an inbound policy that permits traffic originating with the ThreatSTOP-allow list (source) in the untrust zone to anything in the trust zone.
Then below this add a second inbound policy that denies traffic originating with the eight ThreatSTOP-block objects (source) in the untrust zone to anything in the trust zone.
Now repeat these steps for outbound traffic (i.e. destinations are the ThreatSTOP lists in the untrust zone and the source is all traffic from the trust zone). When this is done you should have policies similar to those in the image below.
Your list names need to include the hyphens. Omitting these will prevent your logs from being processed. The format to follow is:
- Once these policies have been committed, your firewall is being protected with ThreatSTOP.
Submitting Your Logs
You can use an external syslog server and a script that uploads the most recent log data to submit log data to ThreatSTOP.
Submitting Your Logs via Syslog
There is a separate page that explains in detail how to setup the syslog server to receive the firewall logs and direct them to a dedicated file that is suitable for upload. It is assumed that the syslog server has the same external IP address as the firewall. If it does not then please check with ThreatSTOP support to work through the slight changes needed to make this work.
Log Upload via "Scheduled Log Export"
While this method to upload logs does work, the "Scheduled Log Export" will render results for the previous 24-hours, and older recorded logs, in the ThreatSTOP reporting system.
Connect to the PAN device using a web browser, login and select Device and then "Scheduled Log Export" and then add a new entry.
In the dialog you should set the following:
- Log Type to "traffic"
- Protocol to FTP
- Hostname as "logs.threatstop.com"
- Path to "/logs/PAN"
- Username to "anonymous"
No password is required and FTP Passive Mode should generally be enabled.
The firewall uploads this data once per day.
A guide to troubleshooting common problems. If you are confused or if these steps do not help then please contact ThreatSTOP support.
ThreatSTOP rules do not appear to block anything
The most likely reason is that you have not correctly entered the firewall's IP address in the ThreatSTOP device definition page or that you have not entered the block list name correctly.
Finally, you should confirm that the ThreatSTOP policies are active on the zones you think they are.
ThreatSTOP blocks access to places it shouldn't
Although ThreatSTOP tries very hard to ensure that we have zero false positives in our standard lists, we do occasionally miss something. Please report the offending domain and ip address to ThreatSTOP support. Also please check in the log file that the IP address is indeed being blocked by the ThreatSTOP rules before contacting us.
If you need to allow access to a location quickly then you should add the IP address to a user-defined allow list in the Policies & Lists page on the ThreatSTOP portal. Note you should make sure that the policy you are using includes that allow list.
No Logs Uploaded
In many cases logging issues are related to issue 1) above. If running the "validip" test described above is successful then you should verify that "log enable" is set appropriately in the current configuration (all ThreatSTOP firewall drop rules should log enable in them).
Steps to Remove ThreatSTOP Configurations from PAN Devices
Removing a PAN device from TSCM, will remove the ThreatSTOP configurations on the PAN device. You will need to log onto your PAN device and perform the following steps:
Disable the ThreatSTOP Policy Rules - these rules reference the dynamic block lists and the log forwarding profile. Until these policy rules are removed, you will be unable to delete the configurations under Policies->Security :
- Check each of the four ThreatSTOP policy rules
- Click Disable ( ) at the bottom of the policy rules window
- Login to the management device.
Enter tsadmin remove <device name>
This will remove the PANOS device and all ThreatSTOP Policy Rules, as well as the dynamic block lists and log forwarding profile.
Removing the ThreatSTOP objects will not remove references to ThreatSTOP Logging and Reporting if it has been referenced in other objects. If implemented these will need to be removed by hand. In addition, the log forwarding profile and syslog server profiles will also need to be manually deleted.