Ukraine Flag Standing with Ukraine

ThreatHive Integration Guide - Palo Alto Firewall

Step-by-step guide to configuring ThreatHive blocklist

Integration Steps

  1. Log in to Palo Alto Firewall: Access your firewall via the Web Interface (GUI). Go to the Objects tab.
  2. Create an External Dynamic List:
    • Navigate to Objects > External Dynamic Lists.
    • Click Add to create a new EDL.
    • Configure the EDL:
      • Name: ThreatHive_Blocklist
      • Type: IP List
      • Source: https://threathive.net/hiveblocklist.txt
      • Recurring: Yes
      • Update Frequency: 15 minutes
      • Certificate Profile: Optional – you can use the default or validate the HTTPS cert manually.
      • Description: Malicious IP feed from ThreatHive.net
    • Click OK to save.
    • Commit your changes.
  3. Create a Security Policy to Use the EDL:
    • Go to Policies > Security.
    • Edit an existing rule or click Add to create a new rule.
    • Set up the rule:
      • Name: Block_ThreatHive_IPs
      • Source: Use any, or limit to specific zones.
      • Destination: In Destination Address, click Add and select ThreatHive_Blocklist.
      • Application/Service: Optional — any is fine.
      • Action: Deny (or Drop).
      • Enable logging: At session end.
    • Commit the configuration.
  4. Monitor the Impact:
    • Go to Monitor > Traffic or Monitor > Threat to see which IPs are being blocked.
    • Use the filter with the rule name or address object.
  5. Optional Tips:
    • Whitelist exceptions with higher-priority allow rules above your block rule.
    • Test first in "alert" mode (set action to “Allow” but log) to observe behavior before blocking.
    • Add a log-forwarding profile to trigger alerts to your SIEM, syslog, or email.