Palo Alto Dynamic Block List and AWS

Palo Alto firewalls have a neat feature called "DBL" - Dynamic Block List. This feature allows the firewall to grab a list of ip addresses or domains from an http page. You have to format the web page cleanly (https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-and-Limitations/ta-p/58795), but it allows you to update the web page dynamically, and the firewall will update it's policy accordingly.

For my use case, we had some new dynamic dev services being tested in AWS, with service ports that we typically don't allow for outbound traffic. Instead of opening up our security policy to the internet (any destination), I used a DBL to open up the ports to AWS ip addresses only.

Luckily Amazon publishes their ip addresses here: https://ip-ranges.amazonaws.com/ip-ranges.json

I created a quick script that curls the address above, then greps the file and creates a new file with only the ip ranges, so that the palo alto firewall can read the ip ranges successfully.

#!/bin/bash
dir=/usr/share/nginx/html/dynamiclist

curl https://ip-ranges.amazonaws.com/ip-ranges.json > $dir/aws-ip.json
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}/[0-9]{1,2}" $dir/aws-ip.json > $dir/aws-ip.txt

As you can probably figure out, I'm hosting this file on a nginx server, so the palo alto firewall just needs to read "http://myservername/dynamiclist/aws-ip.txt". You can put this script it your cron.d directory and have it run as often as you'd like!

DBL setup from Palo Alto's support site:
https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Dynamic-Block-List-DBL-or-External-Block-List/ta-p/53414