This document describes the integration process of the ThreatSTOP IP Defense with PanOS Devices (HTTP Method)

Instructions for the TSCM version are available here.

Palo Alto Networks devices are supported in a different fashion to all other devices we support. Rather than using our patented DNS mechanism to update policies and target lists we we use the built in Palo Alto feature called Dynamic Block List.

If this is a new device and new policy, please wait about 15 minutes before attempting to apply the policy to the PAN device

This page only describes creating simple ThreatSTOP policies one for inbound and one for outbound traffic, but more complex uses are possible.


ThreatSTOP is compatible with most versions of PAN-OS.

Minimum 6.1
Recommended 7.1

You must have PAN-OS 6.1 or greater running on the Palo Alto Networks device.

You should have set up your basic connectivity etc. to the device from a management station. You should confirm that the management’s web client can connect to the firewall and log in to it. Using that login session you should confirm that the PAN device can also access/download urls from the Internet. In particular you should check that your device can:


It is recommended that you save the configuration prior to applying the ThreatSTOP changes.



While the portal setup is still largely as described in the device documentation. The single-device setup for PANOS has one extra field added to it Lines in Block. The methodology for PANOS logging setup allows the users to submit up to eight (8) log blocks as established in Setup – Device steps 3-4. The widest range of PANOS devices support 36,000 addresses (split into chunks of 4,500 apiece). However, some devices are able to support more than this 36,000 address limit, while others are not able to support this amount. Due to this variation we’ve allowed an adjustment to the number of address objects per dynamic block list. To figure out the number of lines to allow in each dynamic block list for your device take the maximum number of addresses supported by your device, divided by 8, and subtract about 300 lines per block (to give a little buffer room for internal addressing). Enter the result in Lines in Block and click Next.

The following PANOS CLI command will show the maximum size for dynamic block lists:

show system state | match cfg.general.max-address

Lines in Block: The maximum number of addresses supported by your device (m), minus 300 lines of buffer, and divided by 8.


  • Connect to the PAN device using a web browser, login and select Objects and then Dynamic Block Lists and then add a new list.

  • You should call the list ThreatSTOP-block1 and add the source URL as follows:<block list name>.<ThreatSTOP account ID>.threatstop.local

  • Click on the Test Source URL button and confirm that the device is able to download the blocklists without errors. If successful set the Repeat pull down to Hourly and set the time to, 08, then press OK.

  • Now repeat the process to create additional block lists replacing the 001 in the URL with 002 to 008 and similarly replacing the ThreatSTOP-block1 with ThreatSTOP-block2 to ThreatSTOP-block8 in the name. Having done that you should create the ThreatSTOP allow list in the same way. You should call the list ThreatSTOP-allow and add the source URL as follows:<allow list name>.<ThreatSTOP account ID>.threatstop.local . Again test to ensure success and if successful set the repeat to Hourly, the time to 08, and click OK. When this is done you should have objects similar to those in the image to the right.
  • Now go to Policies, and add an inbound policy that permits traffic originating with the ThreatSTOP-allow list (source) in the untrust zone to anything in the trust zone.
  • Then below this add a second inbound policy that denies traffic originating with the eight ThreatSTOP-block objects (source) in the untrust zone to anything in the trust zone.
  • Now repeat these steps for outbound traffic (i.e. destinations are the ThreatSTOP lists in the untrust zone and the source is all traffic from the trust zone). When this is done you should have policies similar to those in the image below.

Caution: Your list names need to include the hyphens. Omitting these will prevent your logs from being processed. The format to follow is:


Once these policies have been committed, your firewall is being protected with ThreatSTOP.

Submitting Your Logs via “Scheduled Log Export”

  • Warning: While this method to upload logs does work, the “Scheduled Log Export” will render results for the previous 24-hours, and older recorded logs, in the ThreatSTOP reporting system.

Connect to the PAN device using a web browser, login and select Device and then “Scheduled Log Export” and then add a new entry.

In the dialog you should set the following:

  • Log Type to “traffic”
  • Protocol to FTP
  • Hostname as “”
  • Path to “/logs/PAN”
  • Username to “anonymous”
  • No password is required and FTP Passive Mode should generally be enabled.
  • The firewall uploads this data once per day.

Steps to Remove ThreatSTOP Configurations from PAN Devices

Removing a PAN device from TSCM, will remove the ThreatSTOP configurations on the PAN device. You will need to log onto your PAN device and perform the following steps:

  • Disable the ThreatSTOP Policy Rules - these rules reference the dynamic block lists and the log forwarding profile. Until these policy rules are removed, you will be unable to delete the configurations under Policies->Security :
    • Check each of the four ThreatSTOP policy rules
    • Click Disable at the bottom of the policy rules window

Caution: Removing the ThreatSTOP objects will not remove references to ThreatSTOP Logging and Reporting if it has been referenced in other objects. If implemented these will need to be removed by hand. In addition, the log forwarding profile and syslog server profiles will also need to be manually deleted.