Automatically feed a curated IP blocklist into your Palo Alto firewall via EDL. Protect your GlobalProtect portal in under 5 minutes.
Start Blocking Attacks -- $9.99/moGlobalProtect VPN portals are publicly reachable by design. Attackers run automated credential-stuffing campaigns against them 24/7. ThreatListPro blocks known attacker IPs before they even reach the login page.
Brute force bots cycle through leaked credential lists against your GlobalProtect portal. Each failed login consumes firewall resources, generates log noise, and risks a successful breach if any credential matches. Palo Alto's built-in login lockout only slows the attacker -- it doesn't block them.
We aggregate brute force telemetry from thousands of VPN endpoints worldwide. When an IP is observed attacking any participating portal, it is added to the blocklist within 60 seconds. Your Palo Alto firewall fetches this list via its native EDL feature and drops the traffic at the network layer -- no CPU spent on TLS handshakes or login processing.
Add ThreatListPro as an External Dynamic List to your PAN-OS firewall in four simple steps.
Sign up at threatlistpro.com and copy your unique feed URL from the dashboard. It looks like:https://feed.threatlistpro.com/v1/edl/YOUR_API_KEY
Navigate to Objects > External Dynamic Lists. Click Add. Set the name to ThreatListPro-Blocklist, type to IP List, and paste your feed URL. Set the repeat interval to 5 minutes.
Go to Policies > Security and add a new rule. Set the source zone to Untrust, source address to the EDL object ThreatListPro-Blocklist, destination to your GlobalProtect interface, and action to Deny. Place this rule above your existing allow rules.
Commit the configuration. Navigate to Objects > External Dynamic Lists, select the list, and click Test Source URL to verify IPs are loading. Check the Traffic log to confirm blocks are occurring.
See how an automated, VPN-focused blocklist compares to other approaches for protecting your Palo Alto firewall.
| Feature | ThreatListPro | Manual Blocking | Enterprise Threat Feeds |
|---|---|---|---|
| VPN brute-force focused | ✓ | ✗ | ✗ |
| Real-time updates (60s) | ✓ | ✗ | ✓ |
| Native EDL compatibility | ✓ | ✗ | ✓ |
| No log parsing required | ✓ | ✗ | ✓ |
| Setup in under 5 minutes | ✓ | ✗ | ✗ |
| Price | $9.99/mo | Staff time | $500+/mo |
In PAN-OS, navigate to Objects > External Dynamic Lists, click Add, set the type to IP List, and paste your ThreatListPro feed URL. Set the refresh interval to 5 minutes. Then reference this EDL in a Security Policy rule to block inbound traffic from those IPs to your GlobalProtect portal.
ThreatListPro updates its IP blocklist every 60 seconds. Our sensors detect brute force attempts across thousands of VPN portals worldwide, and new attacker IPs are added to the feed in near real-time. Stale entries are automatically aged out after 72 hours of inactivity.
Yes. ThreatListPro serves a standard plaintext IP list that is compatible with all PAN-OS versions that support External Dynamic Lists, including PAN-OS 9.x, 10.x, and 11.x. No special configuration or minimum version is required.
Join hundreds of network admins who block VPN brute force attacks automatically.
Get ThreatListPro -- $9.99/moThreatListPro provides a standard IP blocklist feed compatible with any firewall that supports external lists.
Learn more about IP blocklists, VPN security, and how ThreatListPro compares to alternatives.