Palo Alto Networks Guide

Use this guide to register Cybora as an External Dynamic List (EDL) on Palo Alto Networks firewalls. EDLs are one of the strongest native integrations for threat intelligence because the firewall can refresh the list automatically and enforce policy on the updated entries without requiring a new commit every time the list changes.

What Palo Alto can do with a Cybora feed

• IP-based Cybora feeds can be used as source or destination match objects in Security policy rules.
• Domain-based feeds can be used in supported security profiles and domain-based controls.
• URL-based feeds can be enforced in URL-aware policy and profile workflows.
• Once the EDL is configured and committed, later list updates are retrieved dynamically by the firewall without another policy commit.

Before you start

• Use a PAN-OS release that supports External Dynamic Lists.
• Make sure the firewall can reach the Cybora feed URL using the configured service route.
• Choose the correct EDL type for the feed you received: IP, Domain, or URL.
• Keep the feed type aligned with the content format. An IP EDL must contain only IP entries, a domain EDL only domains, and a URL EDL only URLs.

Create the EDL

1. Go to Objects > External Dynamic Lists and add a new list.
2. Enter a clear name and optional description.
3. Select the list type that matches your Cybora feed.
4. Paste the Cybora feed URL into the source field.
5. Configure authentication only if your specific feed requires it.
6. Use Test Source URL if available to confirm that the firewall can reach the feed.
7. Set Check for updates to match your Cybora plan exactly. Only one request is permitted within the allowed interval. If the firewall refreshes the feed more often than your plan allows, the feed may be blocked.
8. Commit the configuration.

Enforce policy on the EDL

1. Add the EDL to the relevant Security policy rule or supported profile.
2. For IP EDLs, use the list as a source or destination object in the rule.
3. For domain or URL EDLs, use the list in the supported security control where that list type is enforced.
4. Position the rule so the Cybora matches are evaluated in the intended order.
5. Commit the policy change.

Validation

1. Open the EDL and verify that the firewall can fetch the source successfully.
2. Use List Entries and Exceptions to confirm that the expected entries were imported.
3. If needed, trigger Import Now to force a refresh from the web server.
4. Confirm that the EDL is actually referenced in the intended rule or profile, because an unused list will not protect traffic.
5. Test with known matching traffic and review the corresponding traffic, threat, or URL logs.

Further reading

• Use an External Dynamic List in Policy
• External Dynamic List
• Objects > External Dynamic Lists
• View External Dynamic List Entries
• Formatting Guidelines for an External Dynamic List