jnetz added a new solution:
ATD-PANFW continuously listens for new ATD indicators discovered through any numerous means. Once discovered, IPs and domains which are convicted as malicious will be stored in the sqlite db. The sqlite db is dynamically generated on first use and automatically updated each use thereafter.
Simultaneously, ATD-PANFW creates 2 web urls ~/ip and ~/domain which can be used in PAN FW to create an External Dynamic Blocklist.
During startup, the code checks for the existence of the ips_domains.db database. If it does not exist, it is created. Then a connection is made to the DXL fabric and the client begins listening for new ATD IoCs.