Palo Alto Firewall Integration

Step-by-step guide to configuring the ThreatHive blocklist

Integration Steps
  1. Log in to Palo Alto Firewall: Access your firewall via the Web Interface (GUI). Navigate to the Objects tab.
  2. Create an External Dynamic List:
    • Go to Objects > External Dynamic Lists
    • Click Add to create a new EDL
    • Configure the EDL:
      • Name: ThreatHive_Blocklist
      • Type: IP List
      • Source: https://threathive.net/hiveblocklist.txt
      • Recurring: Yes
      • Update Frequency: 15 minutes
      • Certificate Profile: Optional
      • Description: Malicious IP feed from ThreatHive.net
    • Click OK and commit changes
  3. Create a Security Policy:
    • Navigate to Policies > Security
    • Create or edit a rule
    • Set:
      • Name: Block_ThreatHive_IPs
      • Destination Address: ThreatHive_Blocklist
      • Action: Deny or Drop
      • Logging: Enabled
    • Commit configuration
  4. Monitor Activity:
    • Check Monitor > Traffic or Threat
    • Filter by rule name or address object
  5. Optional Tips:
    • Whitelist trusted IPs using higher-priority allow rules
    • Test in alert-only mode before enforcement
    • Forward logs to SIEM or alerting systems