Submit EDL entries from the blocklist for Palo Alto Networks Next-Generation Firewall

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read

    • For observables determined to be malicious, and not associated with a specific ServiceNow AI Platform security incident, you submit External Dynamic List (EDL) entries from the blocklist.

    Before you begin

    Role required: sn_si.analyst

    About this task

    When you want to block an observable that you have determined is malicious, or allow an observable you have determined is not malicious, and the observable is not associated with a specific ServiceNow AI Platform security incident record, you submit EDL entries directly from the blocklist. Examples of these types of EDL entries might be URLs or domains for specific sites.

    Procedure

    1. Navigate to All > Palo Alto Networks NGFW Integration > Firewall EDL Entries.
      Firewall EDL Entries on the application navigator.
    2. Click the Firewall EDL Entries module.
    3. In the Palo Alto Networks Firewall External Dynamic List Entries list, click New.
    4. In the new record that is displayed, in the Entry value field, enter a value for your observable.
      The two possible outcomes of this entry:
      The remaining fields on the form are completed automatically.
      A matching observable is found, and a message is displayed that a matching observable exists. Select the EDL you want to attach this entry to and click Submit. Select the EDL you want to attach this entry to prior to setting the Expiration period.
      A message is displayed that instructs you to complete the form.
      A matching observable has not been found, and you must complete the form. After you complete it, select the EDL you want to attach the observable to and click Submit. An observable record is created.

      The following figure shows an example of an existing domain observable and how the fields are completed automatically.

      Matching observable exists.
    5. Click the search icon to select the EDL you want to attach the entry to.
    6. Click Submit.
      If you have email approval configured in your workflow, an approval email request is sent.
    7. If a message is displayed that requests you to fill in the rest of the information manually, fill in the fields.
      No matching observable exists.
      Field Description
      Observable type Observable type that is supported from the dialog.
      EDL name EDL you want to attach the entry to.
      Note:
      Select the EDL want to attach the entry to prior to setting the Expiration period.
      Enable override (default is selected) Lookup result or source. When configured, permits you to enter a Lookup result and the source used to find the results. These fields are typically populated when a security incident record is created. In this case, there is no lookup result or source, and you fill in these fields in manually.
      Lookup result Select Unknown or Malicious.
      Source Source that performs a threat lookup on the EDL entry, for example, ThreatCrowd, etc.
      Expiration period The expiration period inherited from the EDL by default. You can override this value, but only during the creation of the entry.

      0 indicates that the EDL entry never expires.

      If you change this value, this entry is active for the number of days you enter. You can enter a minimum value of 1, and there is no maximum value.

      For example, if you enter 30 days at 2:01 PM on May 1, the EDL entry will expire at 2:01 PM on May 31.
    8. Click Submit.
      If you have changed the default expiration period of the EDL entry, a warning confirmation dialog box is displayed indicating that the period differs from the selected EDL.
      Confirmation dialog box for expiration period.
    9. Choose one option to configure the expiration period.
      OptionDescription
      Yes Confirms your expiration override, saves the record, and returns you to the Palo Alto Networks Firewall External Dynamic List Entries list. If you have email approval configured in your workflow, an approval email request is sent.
      No Cancels the override. At this point, you can change the value for the Expiration period.

      After changing the value, click Submit to return to the Palo Alto Networks Firewall External Dynamic List Entries list.
    10. If not displayed, navigate to the Palo Alto Networks Firewall External Dynamic List Entries list and note that the status for the entry is Pending.
      Firewall EDL Entries list with pending entry.
      The entry is now ready for approval.

    What to do next

    Approve EDL entries.