Network Security
Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
Table of Contents
Configure your Environment to Access an External Dynamic List from the EDL Hosting
Service
Configure an External Dynamic List (EDL) for Software-as-a-Service (SaaS)
applications.
Set up your configuration to access an external dynamic list (EDL) from
the EDL Hosting Service for Software-as-a-Service (SaaS) applications
Convert the GlobalSign Root R1 Certificate to PEM Format
You must convert the GlobalSign Root R1 certificate to
PEM
format to create a certificate profile for
authenticating the EDL Hosting Service. Creating the certificate profile to
authenticate the EDL Hosting Service is a best practice when leveraging the EDL
Hosting Service when you configure your environment to access an external
dynamic list from the EDL Hosting Service.Refer to the appropriate procedure based on operating system of the device where
you downloaded the GlobalSign Root R1 certificate.
- Download the GlobalSign Root R1 certificate if you have not already downloaded the certificate.
- Convert the certificate.
- Mac and Linux operating systems
- Open the terminal and convert the GlobalSign Root R1 certificate you downloaded.admin:openssl x509 -in <certificate-path>.crt -inform DER -out <target-export-path>.pem -outform PEM
If no target export path is specified, the converted certificate is created on the device desktop.- Windows operating system
- Navigate to the location where you downloaded the GlobalSign Root1 certificate.
- Double click andOpenthe certificate.
- ClickDetailsandCopy to File.ClickNextwhen prompted to continue.
- SelectBase-64 encoded x.509 (.CER)and clickNext
- ClickBrowseto navigate to the location you want to copy the certificate and enter a name for the certificate that includes.pemappended to the end of file name. For example,globalsign-root-r1.pemSavethe certificate. TheFile Namedisplayed shows the target export path and the certificate name you entered with.cerappended. Delete the appended.cer.
- ClickNextandFinishexporting the certificate.
Create an External Dynamic List Using the EDL Hosting Service
Some Software-as-a-Service (SaaS)
providers publish lists of IP addresses and URLs as destination endpoints for
their SaaS applications. SaaS providers frequently update the SaaS applications
destination endpoint lists as support grows and the service expands. This
requires you to manually monitor the SaaS application endpoints for changes and
manually update your policy configuration to ensure connectivity to these
critical SaaS applications or set up an external tool to monitor and update your
EDLs.
Configure an EDL using the EDL Hosting Service maintained by Palo
Alto Networks to ease the operational burden of maintaining an EDL for a SaaS
application. The EDL Hosting Service provides publicly available Feed URLs for
SaaS application endpoints published by the SaaS application provider.
Leveraging a Feed URL as the source in an EDL allows for dynamic enforcement of
SaaS application traffic without the need for you to host and maintain your own
EDL source.
Palo Alto Networks checks the application Feed URLs published by SaaS providers
on a daily basis and optimizes the IP address information received from SaaS
application providers in order to reduce the number of IP addresses that are
published in each EDL. This optimization includes identifying and removing
duplicate IP addresses and then aggregating the remaining IP addresses into a
smaller number of contiguous address ranges.
Microsoft updates all Microsoft 365 Feed URLs at the end of each calendar month
and provides a 30 day advanced notice prior to update. See the official Microsoft 365 Web Services
page for more information. Additionally, the endpoints for the
Microsoft 365 Common and Office Online SaaS application are always added to
every Feed URL in the EDL Hosting Service.
The EDL Hosting Service availability status and updates are posted to the Palo Alto Networks Cloud Services Status page.
Follow these steps to create an external dynamic list using the EDL Hosting
Service.
Cloud Managed
Leveraging a Feed URL as the source in an EDL allows for dynamic enforcement of SaaS
application traffic without the need for you to host and maintain your own EDL source.
- Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from theService Area: Exchange OnlineforGermany.For a policy-based forwarding policy rule, use an IP-based Feed URL.
- (Best Practices) Create a certificate profile to authenticate the EDL Hosting Service.
- Download the GlobalSign Root R1 certificate.
- Import the GlobalSign Root R1 certificate.
- Select andImporta new custom certificate.
- Enter a descriptiveCertificate Name.
- For theCertificate File, selectBrowseand select the certificate you converted in the previous step.
- For theFormat, selectBase64 Encoded Certificate (PEM).
- SelectSave.
- Create a certificate authority (CA) certificate profile.
- Select andAdd Profile.
- Enter a descriptiveName.
- For theCA Certificates,Addthe certificate you imported in the previous step.
- SelectSave.
- SelectPush Config.
- Create an EDL using a Feed URL from the EDL Hosting Service.
- Select andAdd External Dynamic List.
- Enter a descriptiveNamefor the EDL.
- Select the EDLType.
- For an IP-based EDL, selectIP List.
- For a URL-based EDL, selectURL List.
- (Optional) Enter aDescription for the EDL
- Enter the Feed URL as the EDLSource.Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
- (Best Practices) Select theCertificate Profileyou created in the previous step.
- Specify the frequency your environment shouldCheck for updatesto match the update frequency of the Feed URL.For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updatesDaily.Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
- SelectSave.
- When you enforce policy on an EDL from the EDL Hosting Service where the EDL is the source, be specific when configuring which users have access to the SaaS application to avoid over-provisioning access to the application.Leverage App-ID alongside EDLs in a security rule for additional strict enforcement of SaaS application traffic.
PAN-OS & Panorama
Leveraging a Feed URL as the source in an EDL allows for dynamic enforcement of SaaS
application traffic without the need for you to host and maintain your own EDL source.
- Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from theService Area: Exchange OnlineforGermany.For a policy-based forwarding policy rule, use an IP-based Feed URL.
- (Best Practices) Create a certificate profile to authenticate the EDL Hosting Service.
- Download the GlobalSign Root R1 certificate.
- Import the GlobalSign Root R1 certificate.
- Select andImporta new certificate.
- ForCertificate Type, selectLocal.
- Enter a descriptiveCertificate Name.
- For theCertificate File, selectBrowseand select the certificate you converted in the previous step.
- For theFile Format, selectBase64 Encoded Certificate (PEM).
- ClickOK.
- Create a certificate authority (CA) certificate profile.
- Select andAdda new certificate profile.
- Enter a descriptiveName.
- For theCA Certificates,Addthe certificate you imported in the previous step.
- ClickOK.
- Commit.
- Create an EDL using a Feed URL from the EDL Hosting Service.
- Select andAdda new EDL.
- Enter a descriptiveNamefor the EDL.
- Select the EDLType.
- For an IP-based EDL, selectIP List.
- For a URL-based EDL, selectURL List.
- (Optional) Enter aDescription for the EDL
- Enter the Feed URL as the EDLSource.Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
- (Best Practices) Select theCertificate Profileyou created in the previous step.
- Specify the frequency the firewall shouldCheck for updatesto match the update frequency of the Feed URL.For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updatesDaily.Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
- ClickTest Source URLto verify that the firewall can access the Feed URL from the EDL Hosting Service.
- ClickOK.
- When you enforce policy on an EDL from the EDL Hosting Service where the EDL is the source, be specific when configuring which users have access to the SaaS application to avoid over-provisioning access to the application.Leverage App-ID alongside EDLs in a security rule for additional strict enforcement of SaaS application traffic.