Firewall Black List 5.3.6
- 16 Apr 2023
- 6 Minutes to read
- DarkLight
- PDF
Firewall Black List 5.3.6
- Updated on 16 Apr 2023
- 6 Minutes to read
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
tags: python | FIREWALL BLOCK | EDL | PaloAlto EDL | Schedule based update
Description
Firewall Black List/EDL integration supports creating/updating/maintaining the External Dynamic List - also known as EDL. EDL is a text file that is hosted on a Blob so that the firewall can import objects — IP addresses, URLs, and domains — included in the list, and enforce policy under the firewalls.
Currently, Palo Alto Firewall can make use of this integration. As you modify the list, the firewall dynamically imports the list at the configured interval and enforces policy without the need to make a configuration change or a commit on the PaloAlto firewalls. For other firewall products, similar configurations can be made to support this integration.
CyberProof’s integration supports three types of entries: IP address, URL, and Domain.
The integration also supports the option of providing multiple entries for an IP/URL. This is done with the help of a CSV file, which can be uploaded in the CDC and processed to make the entry with a Time to Live (TTL) entry on EDL.
The integration effectively stops malicious communication by using the support of firewalls. These firewalls read the information from a blocked list and block the unwanted traffic.
The integration supports the following:
- The creation of an EDL file for IP/URL/Domain.
- Updating entries.
- Creating multiple entries for IP/URL.
- Removing entries from the EDL file, once the pre-defined/configured TTL is reached.
An external dynamic list of one type — IP address, URL, or Domain — must include entries of that type only.
• IP Address
Any malicious or suspicious IPs are added to the list that are internally blocked on the firewall, using EDL-related rules. The firewall treats an external dynamic list of type IP address as an address object; all of the IP addresses included in a list are handled as one address object.
• Domain
Any malicious or suspicious type domains are added in this EDL. This allows you to provide custom domain names to the firewall, to enforce policy using its blocking rules.
• URL
Any malicious or suspicious type URLs are added in this EDL. This allows you to provide custom URL names to the firewall, to enforce policy using its blocking rules.
| Integration Type: | Network Response |
| Information read: | No third-party API used. |
| Input: | Single or multiple IP address/URL/domain to be blocked and time to live for entry. |
| Output: | Automated creation of block entry in respective EDL file to prevent malicious communication using firewalls. |
| Output Stored in: | Azure Blob |
Customer Configuration
No customer configuration
CDC Command Lines
* **block_ip_cli**
The CLI of the CDC, of block-ip in the CDC message thread. The TTL days value should be minimum 1 and maximum 1095 (this is configurable).
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to block. | True |
| ttl_days | integer | Enter TTL days value. TTL days value should be greater than 0. | False |
* **block_multiple_ip_cli**
This will read the file from the CDC and enable the block multiple IP functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "IP_address | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2 ).
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | File Name | True |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| alert_id | string | Alert ID | False |
* **block_multiple_url_cli**
This will read the file from the CDC and enable the block multiple URL functionality. Files to be used as input in this CLI should be mandatorily in ".txt" format only. While making entries in the file, ensure that a new line is used as an entry separator between the two entries. Entries in the file should be in the format "URL | ttl_days". TTL days value should be minimum 1 and maximum 1095 (configurable). While running the CLI, enter Incident ID or Channel ID or Alert ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | File Name | True |
| incident_id | string | Incident ID | False |
| channel_id | string | Channel ID | False |
| alert_id | string | Alert ID | False |
* **block_url_cli**
The CLI of the CDC, of block-url in the CDC message thread. TTL days value should be minimum 1 and maximum 1095 (configurable).
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to block. | True |
| ttl_days | integer | Enter TTL days value. TTL days value should be greater than 0. | False |
* **check_ip_cli**
The CLI of the CDC, of check-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to check. | True |
* **check_url_cli**
The CLI of the CDC, of check-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to check. | True |
* **get_ip_entries_cli**
The CLI of the CDC, of get-ip-entries in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | EDL file name | False |
* **get_url_entries_cli**
The CLI of the CDC, of get-url-entries in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| file_name | string | EDL file name | False |
* **unblock_ip_cli**
The CLI of the CDC, of unblock-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to unblock. | True |
* **unblock_url_cli**
The CLI of the CDC, of unblock-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to unblock. | True |
* **validate_ip_cli**
The CLI of the CDC, of validate-ip in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| ip_address | string | The IP to validate. | True |
* **validate_url_cli**
The CLI of the CDC, of validate-url in the CDC message thread.
| Option | Type | Description | Required |
|---|---|---|---|
| url | string | The URL to validate. | True |
Workflows
* **block_multiple_ip_from_blob**
The CLI of the CDC, of block-multiple-ip in the CDC message thread.
* **block_multiple_url_from_blob**
The CLI of the CDC, of block-multiple-url in the CDC message thread.
* **get_cdc_version**
get_cdc_version
* **get_file_content**
This workflow is used to get content of the file attached to the CDC incident or alert or channel.
* **post_block_ip**
Post block-ip in the CDC, by the ID of the incident/message/channel.
* **post_block_url**
Post block-url in the CDC, by the ID of the incident/message/channel.
* **post_check_ip**
Post check-ip in the CDC, by the ID of the incident/message/channel.
* **post_check_url**
Post check-url in the CDC, by the ID of the incident/message/channel.
* **post_get_ip_entries**
Post get-ip-entries in the CDC, by the ID of the incident/message/channel.
* **post_get_url_entries**
Post get-url-entries in the CDC, by the ID of the incident/message/channel.
* **post_unblock_ip**
Post unblock-ip in the CDC, by the ID of the incident/message/channel.
* **post_unblock_url**
Post unblock-url in the CDC, by the ID of the incident/message/channel.
* **post_validate_ip**
Post validate-ip in the CDC, by the ID of the incident/message/channel.
* **post_validate_url**
Post validate-url in the CDC, by the ID of the incident/message/channel.
* **scheduler_ip**
IP scheduler.
* **scheduler_url**
URL scheduler.
Rules
* **handle_ip_scheduler**
Scheduler for IP that runs at 00:00 UTC. The scheduler includes the following steps : (1) Add expiry date to the existing IPs in the file. (2) Back up the file. (3) Delete the expired IPs from the file. (4) Back up the file after the deletion of expired IPs.
* **handle_url_scheduler**
Scheduler for URL that runs at 00:00 UTC. The scheduler includes following steps : (1) Add expiry date to the existing URLs in the file. (2) Back up the file. (3) Delete the expired URLs from the file. (4) Back up the file after deletion of expired URLs.
Sensors
No sensors
Triggers
No triggers
Known Issues
No known issues
Change Log
| Pack Version | Date of Merge | Changes |
|---|---|---|
| v5.3.4 | 2022-05-20 | Changed for publishing ReadMe on Doc360. |
| v5.3.3 | 2022-05-06 | Added step to generate ReadMe in bitbucket-pipelines.yml and updated common logic version to v2.5.1. |
| v5.3.2 | 2022-03-04 | Added uca-linter to bitbucket-pipelines.yml. |
| v5.3.1 | 2022-01-03 | Changed Logo URL and size in adaptive card. |
| v5.3.0 | 2021-11-01 | Fixed linter rejects. |
| v5.2.0 | 2021-10-26 | Updated common logic version to v2.0.7, change in workflow for get-file-content using CDC version. |
Was this article helpful?