Configure an External Dynamic List (EDL) for Software-as-a-Service
(SaaS) applications.
Some Software-as-a-Service (SaaS)
providers publish lists of IP addresses and URLs as destination endpoints for their
SaaS applications. SaaS providers frequently update the SaaS applications
destination endpoint lists as support grows and the service expands. This requires
you to manually monitor the SaaS application endpoints for changes and manually
update your policy configuration to ensure connectivity to these critical SaaS
applications or set up an external tool to monitor and update your EDLs.
Configure an EDL using the
EDL Hosting Service maintained by Palo
Alto Networks to ease the operational burden of maintaining an EDL for a SaaS
application. The EDL Hosting Service provides publicly available Feed URLs for SaaS
application endpoints published by the SaaS application provider. Leveraging a Feed
URL as the source in an EDL allows for dynamic enforcement of SaaS application
traffic without the need for you to host and maintain your own EDL source.
Palo Alto Networks checks the application Feed URLs published by SaaS providers on a
daily basis and optimizes the IP address information received from SaaS application
providers in order to reduce the number of IP addresses that are published in each
EDL. This optimization includes identifying and removing duplicate IP addresses and
then aggregating the remaining IP addresses into a smaller number of contiguous
address ranges.
Microsoft updates all Microsoft 365 Feed URLs at the end of each calendar month and
provides a 30 day advanced notice prior to update. See the
official Microsoft 365 Web Services page
for more information. Additionally, the endpoints for the Microsoft 365 Common and
Office Online SaaS application are always added to every Feed URL in the EDL Hosting
Service.