Estimated Time:
⏱️ ~10-20 minutes

Prerequisites

Before starting, confirm:

• ✅ Access to GreyNoise with Blocklists
• ✅ Access to PAN-OS with Commmit Privileges

Instructions

Step 1: Query for a Blocklist

Log in to GreyNoise and build a GNQL query that yields the IPs you would like to block. An example query is as follows:

(vpn:true OR metadata.tor:true) last_seen_malicious:7d

Once the query produces the expected results:

Click the Blocklist icon.

Step 2: Create Blocklist

Within Create Blocklist:

1. Give the Blocklist a name (e.g. VPN or TOR Exit Node - Last Seen Malicious 7d).
2. Validate the GNQL is as expected, if not Cancel and adjust the query before proceeding.
3. If you need to provide Blocklist limits for returned results adjust the IP Limit value.
4. Select whether the Blocklist is enabled after creation.
5. Click Create blocklist to proceed.

The Blocklist will then show as Provisioning which can take 5-10 minutes.

Once Provisioning is complete and shows Enabled proceed to the next step.

Step 3: Copy Tokenized URL

Navigate in GreyNoise to the Blocklists section (Automate --> Blocklists).

1. Click Actions on the right side of the appropriate Blocklist.
2. Click Copy Tokenized URL from the drop down.

🚧

The tokenized URL contains an authentication key, protect it as a secret.

Step 4: Configure PAN-OS EDL

In the PAN-OS Web GUI navigate to External Dynamic Lists and add a new object.

1. Click Objects
2. Click External Dynamic Lists
3. Click Add

Next we will configure the new EDL with the GreyNoise Blocklist previousoly created.

🚧

When adding an EDL for the first time you may get a warning around the appending of trailing slashes. Please review and dismiss.

Screenshot of Trailing Slash Notification

Continue to configure a new EDL.

1. Give the EDL a descriptive name (e.g. VPN or TOR Exit Node - Last Seen Malicious 7d).
2. Validate the type IP list is selected.
3. (Optional) Give the EDL a description.
4. Paste the GreyNoise tokenized URL copied from a prior step into the Source field.
5. Select None (Disable Cert Profile). GreyNoise uses a valid TLS certificate and if None is not selected PAN-OS will display warnings upon commit.
6. Set how often you would like the EDL to update in the firewall. Remember that GreyNoise Blocklists update once per hour.
7. Click Test Source URL to validate the tokenized URL was copied and pasted correctly.
8. Once all items are configured click OK to save the EDL.

Step 5: Implement the GreyNoise EDL in Security Policy

In the PAN-OS Web GUI navigate to Security policy and add a new object.

1. Click Policies.
2. Click Security.
3. Click Add.

Once the Security Policy Rule is visible configure the policy with the EDL in either Source or Destination.

1. Click Source or Destination, depending on traffic flow.
2. Click Add in the the Source Address or Destination Address section.
3. Using Source in our example: select one or more EDLs to apply to this policy.
4. Once complete with a valid Security Policy click OK.

Finally, once the configurations are complete Commit all changes made.

1. Prior to committing validate the new policy is in the correct order of operations.
2. Once everything has been validated click Commit, validate changes to be implemented and click `OK

References

• GreyNoise Query-Based Blocklists: https://docs.greynoise.io/docs/query-based-blocklists
• Palo Alto Networks EDLs: https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/external-dynamic-lists

Video Walkthrough 🎥