Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Palo Alto External Dynamic List Generator

This script can be run at the command line to generate a list of IP addresses. Use on a SIEM to dynamically block threats that match IDS/IPS rules. Data stored as JSON and IP list is outputted to a text file. JSON stores information regarding current, history and exclude IPs. Script logs to a syslog file and to the terminal if verbose is enabled.



-a, --action           Define the action [add,remove,exclude,clear]

-v, --verbose        Output to terminal

-i, --ip                  IP address (required when action = add,remove,exclude)

-p, --penalty        Penalty for IP address



Add an IP address to the block list. If no penalty is defined the penalty is incremented each time the IP address is added until it reaches 16(indefinate).


Remove an IP address from the block list. Removes the IP from the current, history and exclude dictionaries.


Add an IP to the exclude list. Excluded IPs will not be processed.


Removes all IPs from the current, history and exclude dictionaries.


Cycles the blocklist and checks IPs and Penalty times. If penalty has been reached, IPs are removed from the blocklist. IPs with a penalty of 16 are not removed. Suggest running this on a cron job to periodically cycle through the IP list.


1 = 1 minute

2 = 5 minutes

3 = 10 minutes

4 = 15 minutes

5 = 30 minutes

6 = 60 minutes (1 hour)

7 = 180 minutes (3 hours)

8 = 360 minutes (6 hours)

9 = 720 minutes (12 hours)

10 = 1440 minutes (1 day)

11 = 4320 minutes (3 days)

12 = 10080 minutes (7 days)

13 = 20160 minutes (14 days)

14 = 43200 minutes (30 days)

15 = 525600 minutes (1 year)

16 = indefinite

Run at command line

Block temporarily, penalty is incremented

./ -a add -i

Block for 1 day

./ -a add -i -p '10'

Block indefinately

./ -a add -i -p '~'


./ -a remove -i


./ -a exclude -i

Run Cron

* * * * * python path/to/your/

Script Settings


Set location of the blocklist (e.g '/var/www/block_inbound.txt'). This file should be https accessible if you intend to setup a Palo Alto External Dynamic List


Set a log file location (e.g '/var/log/block_inbound')


Set the local timezone(e.g 'America/Denver')