Firewall Black List 5.3.1
- 06 Apr 2025
- 6 Minutes to read
- DarkLight
- PDF
Firewall Black List 5.3.1
- Updated on 06 Apr 2025
- 6 Minutes to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Firewall Black List - 5.3.1
tags: python | FIREWALL BLOCK | EDL | PaloAlto EDL | Schedule based update
Table of Contents
Description
Firewall Black List/EDL integration supports creating/updating/maintaining the External Dynamic List - also known as EDL. EDL is a text file that is hosted on a Blob so that the firewall can import objects — IP addresses, URLs, and domains — included in the list, and enforce policy under the firewalls.
Currently, Palo Alto Firewall can make use of this integration. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the PaloAlto firewalls. For other firewall products similar configurations can be made to support this integration.
CyberProof’s integration supports three types of entries: IP address, URL, and Domain.
The integration also supports the option of providing multiple entries for an IP/URL. This is done with the help of a CSV file, which can be uploaded on CDC and processed to make the entry with a Time to Live (TTL) entry on EDL.
The integration effectively stops malicious communication by using the support of firewalls. These firewalls read the information from a blocked list and block the unwanted traffic.
The integration supports the following:
The creation of an EDL file for IP/URL/Domain.
Updating entries.
Creating multiple entries for IP/URL.
Removing entries from the EDL file, once the pre-defined/configured TTL is reached.
An external dynamic list of one type — IP address, URL, or Domain — must include entries of that type only.
• IP Address
Any malicious or suspicious IPs are added to the list that are internally blocked on the firewall, using EDL-related rules. The firewall treats an external dynamic list of type IP address as an address object; all of the IP addresses included in a list are handled as one address object.
• Domain
Any malicious or suspicious type domains are added in this EDL. This allows you to provide custom domain names to the firewall, to enforce policy using its blocking rules.
• URL
Any malicious or suspicious type URLs are added in this EDL. This allows you to provide custom URL names to the firewall, to enforce policy using its blocking rules.
| Integration Type: | Prevention |
| Information read: | No third-party API used. |
| Input: | Single or multiple IP Address / URL / Domains to be blocked and Time to live for entry. |
| Output: | Automated creation of block entry in respective EDL file to prevent malicious communication using firewalls. |
| Output Stored in: | Azure Blob |
CDC Command Lines
- block_ip_cli
The CLI of the CDC, of block-ip in the CDC message thread. TTL days value should be minimum 1 and maximum 1095 (this is configurable).
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to block. | True |
| ttl_days | integer | Enter TTL days value. TTL days value should be greater than 0. | False |
- block_multiple_ip_cli
This will read the file from the CDC and enable the block multiple IP functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "IP_address | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2 ).
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | File Name | True |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| alert_id | string | Alert ID | False |
- block_multiple_url_cli
This will read the file from the CDC and enable the block multiple URL functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "URL | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | File Name | True |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| alert_id | string | Alert ID | False |
- block_url_cli
The CLI of the CDC, of block-url in the CDC message thread. TTL days value should be minimum 1 and maximum 1095 (configurable).
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to block. | True |
| ttl_days | integer | Enter TTL days value. TTL days value should be greater than 0. | False |
- check_ip_cli
The CLI of the CDC, of check-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to check. | True |
- check_url_cli
The CLI of the CDC, of check-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to check. | True |
- get_ip_entries_cli
The CLI of the CDC, of get-ip-entries in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | EDL file name. | False |
- get_url_entries_cli
The CLI of the CDC, of get-url-entries in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | EDL file name. | False |
- unblock_ip_cli
The CLI of the CDC, of unblock-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to unblock. | True |
- unblock_url_cli
The CLI of the CDC, of unblock-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to unblock. | True |
- validate_ip_cli
The CLI of the CDC, of validate-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to validate. | True |
- validate_url_cli
The CLI of the CDC, of validate-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to validate. | True |
Workflows
block_multiple_ip_from_blob
The CLI of the CDC, of block-multiple-ip in the CDC message thread.block_multiple_url_from_blob
The CLI of the CDC, of block-multiple-url in the CDC message thread.get_cdc_version
get_cdc_versionget_file_content
This workflow is used to get content of file attached to the CDC incident or alert or channel.post_block_ip
Post block-ip in the CDC, by the ID of the incident/message/channel.post_block_url
Post block-url in the CDC, by the ID of the incident/message/channel.post_check_ip
Post check-ip in the CDC, by the ID of the incident/message/channel.post_check_url
Post check-url in the CDC, by the ID of the incident/message/channel.post_get_ip_entries
Post get-ip-entries in the CDC, by the ID of the incident/message/channel.post_get_url_entries
Post get-url-entries in the CDC, by the ID of the incident/message/channel.post_unblock_ip
Post unblock-ip in the CDC, by the ID of the incident/message/channel.post_unblock_url
Post unblock-url in the CDC, by the ID of the incident/message/channel.post_validate_ip
Post validate-ip in the CDC, by the ID of the incident/message/channel.post_validate_url
Post validate-url in the CDC, by the ID of the incident/message/channel.scheduler_ip
IP scheduler.scheduler_url
URL scheduler.
Rules
handle_ip_scheduler
Scheduler for IP that runs at 00:00 UTC. The scheduler includes following steps : (1) Add expiry date to the existing IPs in the file. (2) Back up the file. (3) Delete the expired IPs from the file. (4) Back up the file after deletion of expired IPs.handle_url_scheduler
Scheduler for URL that runs at 00:00 UTC. The scheduler includes following steps : (1) Add expiry date to the existing URLs in the file. (2) Back up the file. (3) Delete the expired URLs from the file. (4) Back up the file after deletion of expired URLs.
Sensors
No sensors
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?