Palo Alto

The CrowdSec Palo Alto integration connects CrowdSec's hosted blocklist endpoint to your Palo Alto firewall.
Palo Alto calls this feature External Dynamic Lists (EDL), which allow you to import and automatically update blocklists from external sources.

Ensure your Palo Alto device supports External Dynamic Lists (EDL).
The vendor documentation is available in the References section below.

Step 1 — Create the integration in the CrowdSec Console

In the Integrations page, click Connect under the Palo Alto card.

Name the integration (must be unique to your account), then click Create.

The credentials shown next are displayed only once. Copy them before closing this screen.

Palo Alto Integration Credentials Screen

You now have an HTTPS endpoint and Basic Auth credentials to configure on your Palo Alto device.

Step 2 — Configure Palo Alto

Create an External Dynamic List

Go to Objects > External Dynamic Lists > Add.

Embed the credentials in the URL using Basic Auth:

https://<username>:<password>@admin.api.crowdsec.net/v1/integrations/<integration_id>/content

Set your desired update frequency.

Create a security policy

Go to Policies > Security > Add.

In the General tab, add the policy name and description.

In the Source tab, select your source zone and the External Dynamic List as the source address.

In the Actions tab, select Drop and enable logging (recommended).

Click Commit to apply the configuration.

Manage integration size limits with pagination

If you want to learn how to manage integration size limits with pagination, please refer to the Managing integrations size limits with pagination section.

References

Next Steps

Subscribe to blocklists in the Blocklist Catalog to populate your integration.

Step 1 — Create the integration in the CrowdSec Console​

Step 2 — Configure Palo Alto​

Create an External Dynamic List​

Create a security policy​

Manage integration size limits with pagination​

References​

Next Steps​