Main Nav

Experts,

 

We have been using the following for many years now http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt on our border CISCO ASA firewalls with great success and little to no issues. A script pulls the new list, compares it with the old one and applies the delta.  We are currently switching to PaloAlto FWs and it appears that scripting/importing this large list may not be as easy as it was with the ASA.

 

Can those of you who use the ET list with PaloAlto give us some feedback/scripts/API on how you implemented it? We are also considering moving it to our border CISCO router either as an ACL or as a Null route, any feedback with the latter and/or scripts you may be using? My primary concern with using Null route is the fact that as far as I understand it, it can only block outbound traffic. The router ACL can accomplish blocking in/out, but my concern is with performance. What say you?

 

 

AttachmentSize
smime.p7s6.36 KB

Comments

I have had multiple requests for the script we have been using, so here it is for eveyone. If you improve on it, or see any issues with it (hopefully there are no issues since we have been using it for a few years J ) please let me know … and yes, that long while-do line was a personal challenge that started small, l and grew to something I had to defeat J

 

wget --quiet --timeout=20 --no-cache --output-document=/var/log/security/EmergingThreats/FWrev http://rules.emergingthreats.net/fwrules/FWrev

# Compare new and old rev

if ! `cmp -s /var/log/security/EmergingThreats/FWrev /var/log/security/EmergingThreats/FWrev.old`; then echo "CHANGE"; else exit; fi

# get new list

wget --quiet --timeout=20 --no-cache --output-document=/var/log/security/EmergingThreats/emerging-Block-IPs.txt http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

# Filter the new list and remove our Nets and IPs for College use but hosted and possibly on the list

NSUNEWS=`nslookup nsunewsroom.com | grep Address | tail -1 | cut -d " " -f 2`

FAIRDATA=`nslookup www.fairdata2000.com | grep Address | tail -1 | cut -d " " -f 2`

cat /var/log/security/EmergingThreats/emerging-Block-IPs.txt | sed -e '/^[0-9]/!d' | sed -e 's/#.*//g' | sed -e '/^192\.168\./d' -e '/^172\.1[

6-9]\./d' -e '/^172\.2[0-9]\./d' -e '/^172\.3[0-1]\./d' -e '/^10\./d' -e '/^192\.68\.217\./d' -e '/^199\.112\.11[2-9]\./d' -e '/^199\.111\.12[

0-7]\./d' -e '/^204\.155\.17[6-9]\./d' -e '/^204\.155\.18[0-9]\./d' -e '/^204\.155\.19[0-1]\./d' -e "/$NSUNEWS/d" -e "/$FAIRDATA/d" | sort | u

niq > /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

# Print the Difference

diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

# Write some nice ACL

echo;echo; echo CISCO Command to execute; echo

echo object-group network Net_EmergingThreats

diff /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed

|  while read line; do   if echo $line | grep "<" ; then   if echo $line | grep "/"; then  echo "no network-object" `echo $line | cut -d " "

-f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask ="| cut -d " " -f4`;  else echo "no networ

k-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  if echo $line | grep ">" ; then   if echo $line | grep "/"; then  echo "network-obj

ect" `echo $line | cut -d " " -f 2 | cut -d "/" -f 1` `whatmask \`echo $line | cut -d " " -f 2 |  cut -d "/" -f 2\`|grep "Netmask ="| cut -d "

" -f4`;  else echo "network-object host" `echo $line | cut -d " " -f 2`;  fi;   fi;  done | grep network-object

# Back up the old list

cp /var/log/security/EmergingThreats/FWrev /var/log/security/EmergingThreats/FWrev.old

cp /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed /var/log/security/EmergingThreats/emerging-Block-IPs.txt.processed.old

 

 

Message from jstapleton@computer-business.com

We do this kind of thing in a Vyatta bridge so that we don’t have to do it in our FW.  To avoid creating a single point of failure, we build these bridges on hardware that supports bypass option.

 

Message from reitsmac@denison.edu

Your processed list contains 10,689 lines. On a recent case with Palo Alto I was told:
As i see in the case description that you were talking about address limits on the firewall, i got the info for you. Here are the max limits for PA-2050: 

max-address: 10000 
max-address-group: 1000 
max-address-per-group: 500 

The strength of the Palo Alto firewall is its application/threat/vulnerability identification. So, I do block a few hundred addresses but mostly depend on the ability to identify a threat and block that.

As for updating addresses and groups in a running Palo Alto firewall you might use their Pan Perl Package which can be downloaded from their support DevCenter:
#read addresses from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address" >addresses.xml

#read address groups from primary host
panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address-group" >groups.xml

These give you the addresses and address-groups in xml. For example:
  <entry name="verify1">
    <ip-netmask>114.207.244.143/32</ip-netmask>
  </entry>
  <entry name="verify2">
    <ip-netmask>114.207.244.144/32</ip-netmask>
  </entry>

  <entry name="block">
    <member>verify1</member>
    <member>verify2</member>
  </entry>

Change your script to add your addresses and groups in xml format. Then write them back:

#write addresses to primary host
panxapi -t pa1 -e ./addresses.xml "/config/devices/entry/vsys/entry[@name='vsys1']/address"

#write address groups to secondary host
panxapi -t pa1 -e ./groups.xml "/config/devices/entry/vsys/entry[@name='vsys1']/address-group"

And commit the changes:
#commit changes on primary host
panxapi -t pa1 -C "<commit></commit>"

All I've ever done is read out the whole address list or group list, modify it and write back the whole list again. I have not figured out how to change just one group.

Message from will.froning@gmail.com

Hello All, Just to follow-up on this thread, PAN-OS 5.0 was just released (not yet announced though). The Admin guide has a new object type, "Dynamic Block Lists." =====Admin Guide 5.0===== Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets. The list must contain one IP address, range, or subnet per line, for example: “192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255. Example: “2001:db8:123:1::1” or “2001:db8:123:1::/64” ========================= I haven't installed 5.0 on my lab machines, so I don't know if the max-address limit still applies considering this can support 5000 lines per object. We would still have to cut the emergingthreats file into 3, but it at least seems possible now. Also NAT64 is supported on 5.0, woohoo. Thanks, Will Charlie Reitsma wrote: > Your processed list contains 10,689 lines. On a recent case with Palo > Alto I was told: > As i see in the case description that you were talking about address > limits on the firewall, i got the info for you. Here are the max limits > for PA-2050: > > max-address: 10000 > max-address-group: 1000 > max-address-per-group: 500 > > The strength of the Palo Alto firewall is its > application/threat/vulnerability identification. So, I do block a few > hundred addresses but mostly depend on the ability to identify a threat > and block that. > > As for updating addresses and groups in a running Palo Alto firewall you > might use their Pan Perl Package which can be downloaded from their > support DevCenter: > #read addresses from primary host > panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address" >>addresses.xml > > #read address groups from primary host > panxapi -t pa1 -srx > "devices/entry/vsys/entry[@name='vsys1']/address-group" >groups.xml > > These give you the addresses and address-groups in xml. For example: > > 114.207.244.143/32 > > > 114.207.244.144/32 > > > > verify1 > verify2 > > > Change your script to add your addresses and groups in xml format. Then > write them back: > > #write addresses to primary host > panxapi -t pa1 -e ./addresses.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address" > > #write address groups to secondary host > panxapi -t pa1 -e ./groups.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address-group" > > And commit the changes: > #commit changes on primary host > panxapi -t pa1 -C "" > > All I've ever done is read out the whole address list or group list, > modify it and write back the whole list again. I have not figured out > how to change just one group. > >
Very good news. Thank you. Ronald King Security Engineer Norfolk State University http://security.nsu.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Will Froning Sent: Tuesday, November 06, 2012 4:52 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] EmergingThreats.net Hello All, Just to follow-up on this thread, PAN-OS 5.0 was just released (not yet announced though). The Admin guide has a new object type, "Dynamic Block Lists." =====Admin Guide 5.0===== Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets. The list must contain one IP address, range, or subnet per line, for example: “192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255. Example: “2001:db8:123:1::1” or “2001:db8:123:1::/64” ========================= I haven't installed 5.0 on my lab machines, so I don't know if the max-address limit still applies considering this can support 5000 lines per object. We would still have to cut the emergingthreats file into 3, but it at least seems possible now. Also NAT64 is supported on 5.0, woohoo. Thanks, Will Charlie Reitsma wrote: > Your processed list contains 10,689 lines. On a recent case with Palo > Alto I was told: > As i see in the case description that you were talking about address > limits on the firewall, i got the info for you. Here are the max limits > for PA-2050: > > max-address: 10000 > max-address-group: 1000 > max-address-per-group: 500 > > The strength of the Palo Alto firewall is its > application/threat/vulnerability identification. So, I do block a few > hundred addresses but mostly depend on the ability to identify a threat > and block that. > > As for updating addresses and groups in a running Palo Alto firewall you > might use their Pan Perl Package which can be downloaded from their > support DevCenter: > #read addresses from primary host > panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address" >>addresses.xml > > #read address groups from primary host > panxapi -t pa1 -srx > "devices/entry/vsys/entry[@name='vsys1']/address-group" >groups.xml > > These give you the addresses and address-groups in xml. For example: > > 114.207.244.143/32 > > > 114.207.244.144/32 > > > > verify1 > verify2 > > > Change your script to add your addresses and groups in xml format. Then > write them back: > > #write addresses to primary host > panxapi -t pa1 -e ./addresses.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address" > > #write address groups to secondary host > panxapi -t pa1 -e ./groups.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address-group" > > And commit the changes: > #commit changes on primary host > panxapi -t pa1 -C "" > > All I've ever done is read out the whole address list or group list, > modify it and write back the whole list again. I have not figured out > how to change just one group. > >
I read through the release notes and I see some great stuff. Any of you who are in the beta test program using 5.0 in production already? Your thoughts and any gotcha for the migration? Any new features you are taking advantage of and see value in implementing? The information in this email and any attachments is covered under the Freedom of Information Act (FOIA) and may be partially or fully disclosed. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Will Froning Sent: Tuesday, November 06, 2012 4:52 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] EmergingThreats.net Hello All, Just to follow-up on this thread, PAN-OS 5.0 was just released (not yet announced though). The Admin guide has a new object type, "Dynamic Block Lists." =====Admin Guide 5.0===== Use the Dynamic Block Lists page to create an address object based on an imported list of IP addresses. The source of the list must be a text file and must be located on a web server. You can set the Repeat option to automatically update the list on the device hourly, daily, weekly, or monthly. After creating a dynamic block list object, you can then use the address object in the source and destination fields for security policies. Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets. The list must contain one IP address, range, or subnet per line, for example: “192.168.80.150/32” indicates one address, and “192.168.80.0/24” indicates all addresses from 192.168.80.0 through 192.168.80.255. Example: “2001:db8:123:1::1” or “2001:db8:123:1::/64” ========================= I haven't installed 5.0 on my lab machines, so I don't know if the max-address limit still applies considering this can support 5000 lines per object. We would still have to cut the emergingthreats file into 3, but it at least seems possible now. Also NAT64 is supported on 5.0, woohoo. Thanks, Will Charlie Reitsma wrote: > Your processed list contains 10,689 lines. On a recent case with Palo > Alto I was told: > As i see in the case description that you were talking about address > limits on the firewall, i got the info for you. Here are the max limits > for PA-2050: > > max-address: 10000 > max-address-group: 1000 > max-address-per-group: 500 > > The strength of the Palo Alto firewall is its > application/threat/vulnerability identification. So, I do block a few > hundred addresses but mostly depend on the ability to identify a threat > and block that. > > As for updating addresses and groups in a running Palo Alto firewall you > might use their Pan Perl Package which can be downloaded from their > support DevCenter: > #read addresses from primary host > panxapi -t pa1 -srx "devices/entry/vsys/entry[@name='vsys1']/address" >>addresses.xml > > #read address groups from primary host > panxapi -t pa1 -srx > "devices/entry/vsys/entry[@name='vsys1']/address-group" >groups.xml > > These give you the addresses and address-groups in xml. For example: > > 114.207.244.143/32 > > > 114.207.244.144/32 > > > > verify1 > verify2 > > > Change your script to add your addresses and groups in xml format. Then > write them back: > > #write addresses to primary host > panxapi -t pa1 -e ./addresses.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address" > > #write address groups to secondary host > panxapi -t pa1 -e ./groups.xml > "/config/devices/entry/vsys/entry[@name='vsys1']/address-group" > > And commit the changes: > #commit changes on primary host > panxapi -t pa1 -C "" > > All I've ever done is read out the whole address list or group list, > modify it and write back the whole list again. I have not figured out > how to change just one group. > >
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.