Firewall Black List 5.3.6
  • 16 Apr 2023
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Firewall Black List 5.3.6

  • Dark
    Light
  • PDF

Article summary

tags: python | FIREWALL BLOCK | EDL | PaloAlto EDL | Schedule based update


Description

Firewall Black List/EDL integration supports creating/updating/maintaining the External Dynamic List - also known as EDL. EDL is a text file that is hosted on a Blob so that the firewall can import objects — IP addresses, URLs, and domains — included in the list, and enforce policy under the firewalls.

Currently, Palo Alto Firewall can make use of this integration. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the PaloAlto firewalls. For other firewall products, similar configurations can be made to support this integration.

CyberProof’s integration supports three types of entries: IP address, URL, and Domain.

The integration also supports the option of providing multiple entries for an IP/URL. This is done with the help of a CSV file, which can be uploaded in the CDC and processed to make the entry with a Time to Live (TTL) entry on EDL.

The integration effectively stops malicious communication by using the support of firewalls. These firewalls read the information from a blocked list and block the unwanted traffic.

The integration supports the following:

  1. The creation of an EDL file for IP/URL/Domain.
  2. Updating entries.
  3. Creating multiple entries for IP/URL.
  4. Removing entries from the EDL file, once the pre-defined/configured TTL is reached.

An external dynamic list of one type — IP address, URL, or Domain — must include entries of that type only.

• IP Address

Any malicious or suspicious IPs are added to the list that are internally blocked on the firewall, using EDL-related rules. The firewall treats an external dynamic list of type IP address as an address object; all of the IP addresses included in a list are handled as one address object.

• Domain

Any malicious or suspicious type domains are added in this EDL. This allows you to provide custom domain names to the firewall, to enforce policy using its blocking rules.

• URL

Any malicious or suspicious type URLs are added in this EDL. This allows you to provide custom URL names to the firewall, to enforce policy using its blocking rules.

Integration Type:Network Response
Information read:No third-party API used.
Input:Single or multiple IP address/URL/domain to be blocked and time to live for entry.
Output:Automated creation of block entry in respective EDL file to prevent malicious communication using firewalls.
Output Stored in:Azure Blob

Customer Configuration

No customer configuration


CDC Command Lines

* **block_ip_cli**
The CLI of the CDC, of block-ip in the CDC message thread. The TTL days value should be minimum 1 and maximum 1095 (this is configurable).

OptionTypeDescriptionRequired
ip_addressstringThe IP to block.True
ttl_daysintegerEnter TTL days value. TTL days value should be greater than 0.False

* **block_multiple_ip_cli**
This will read the file from the CDC and enable the block multiple IP functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "IP_address | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2 ).

OptionTypeDescriptionRequired
file_namestringFile NameTrue
incident_idstringIncident IDFalse
channel_idstringChannel IDFalse
alert_idstringAlert IDFalse

* **block_multiple_url_cli**
This will read the file from the CDC and enable the block multiple URL functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "URL | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).

OptionTypeDescriptionRequired
file_namestringFile NameTrue
incident_idstringIncident IDFalse
channel_idstringChannel IDFalse
alert_idstringAlert IDFalse

* **block_url_cli**
The CLI of the CDC, of block-url in the CDC message thread. TTL days value should be minimum 1 and maximum 1095 (configurable).

OptionTypeDescriptionRequired
urlstringThe URL to block.True
ttl_daysintegerEnter TTL days value. TTL days value should be greater than 0.False

* **check_ip_cli**
The CLI of the CDC, of check-ip in the CDC message thread.

OptionTypeDescriptionRequired
ip_addressstringThe IP to check.True

* **check_url_cli**
The CLI of the CDC, of check-url in the CDC message thread.

OptionTypeDescriptionRequired
urlstringThe URL to check.True

* **get_ip_entries_cli**
The CLI of the CDC, of get-ip-entries in the CDC message thread.

OptionTypeDescriptionRequired
file_namestringEDL file nameFalse

* **get_url_entries_cli**
The CLI of the CDC, of get-url-entries in the CDC message thread.

OptionTypeDescriptionRequired
file_namestringEDL file nameFalse

* **unblock_ip_cli**
The CLI of the CDC, of unblock-ip in the CDC message thread.

OptionTypeDescriptionRequired
ip_addressstringThe IP to unblock.True

* **unblock_url_cli**
The CLI of the CDC, of unblock-url in the CDC message thread.

OptionTypeDescriptionRequired
urlstringThe URL to unblock.True

* **validate_ip_cli**
The CLI of the CDC, of validate-ip in the CDC message thread.

OptionTypeDescriptionRequired
ip_addressstringThe IP to validate.True

* **validate_url_cli**
The CLI of the CDC, of validate-url in the CDC message thread.

OptionTypeDescriptionRequired
urlstringThe URL to validate.True

Workflows

* **block_multiple_ip_from_blob**
The CLI of the CDC, of block-multiple-ip in the CDC message thread.

* **block_multiple_url_from_blob**
The CLI of the CDC, of block-multiple-url in the CDC message thread.

* **get_cdc_version**
get_cdc_version

* **get_file_content**
This workflow is used to get content of the file attached to the CDC incident or alert or channel.

* **post_block_ip**
Post block-ip in the CDC, by the ID of the incident/message/channel.

* **post_block_url**
Post block-url in the CDC, by the ID of the incident/message/channel.

* **post_check_ip**
Post check-ip in the CDC, by the ID of the incident/message/channel.

* **post_check_url**
Post check-url in the CDC, by the ID of the incident/message/channel.

* **post_get_ip_entries**
Post get-ip-entries in the CDC, by the ID of the incident/message/channel.

* **post_get_url_entries**
Post get-url-entries in the CDC, by the ID of the incident/message/channel.

* **post_unblock_ip**
Post unblock-ip in the CDC, by the ID of the incident/message/channel.

* **post_unblock_url**
Post unblock-url in the CDC, by the ID of the incident/message/channel.

* **post_validate_ip**
Post validate-ip in the CDC, by the ID of the incident/message/channel.

* **post_validate_url**
Post validate-url in the CDC, by the ID of the incident/message/channel.

* **scheduler_ip**
IP scheduler.

* **scheduler_url**
URL scheduler.


Rules

* **handle_ip_scheduler**
Scheduler for IP that runs at 00:00 UTC. The scheduler includes the following steps : (1) Add expiry date to the existing IPs in the file. (2) Back up the file. (3) Delete the expired IPs from the file. (4) Back up the file after the deletion of expired IPs.

* **handle_url_scheduler**
Scheduler for URL that runs at 00:00 UTC. The scheduler includes following steps : (1) Add expiry date to the existing URLs in the file. (2) Back up the file. (3) Delete the expired URLs from the file. (4) Back up the file after deletion of expired URLs.


Sensors

No sensors


Triggers

No triggers


Known Issues

No known issues


Change Log

Pack VersionDate of MergeChanges
v5.3.42022-05-20Changed for publishing ReadMe on Doc360.
v5.3.32022-05-06Added step to generate ReadMe in bitbucket-pipelines.yml and updated common logic version to v2.5.1.
v5.3.22022-03-04Added uca-linter to bitbucket-pipelines.yml.
v5.3.12022-01-03Changed Logo URL and size in adaptive card.
v5.3.02021-11-01Fixed linter rejects.
v5.2.02021-10-26Updated common logic version to v2.0.7, change in workflow for get-file-content using CDC version.

Was this article helpful?

What's Next