Manage External Dynamic Lists

Configure and manage your external dynamic lists from the Cortex XDR console.
An External Dynamic List (EDL) is a text file hosted on an external web server that your Palo Alto Networks firewall uses to provide control over user access to IP addresses and domains that the Cortex XDR has found to be associated with an alert.
Cortex XDR hosts two external dynamic lists you can configure and manage from the Cortex XDR management console:
  • IP Addresses EDL
  • Domain Names EDL
To maintain an EDL in Cortex XDR, you must meet the following requirements:
  • Cortex XDR Pro per TB or Cortex Pro per Endpoint license
  • An
    App Administrator
    ,
    Privileged Investigator
    , or
    Privileged Security Admin
    role which include EDL permissions
  • Palo Alto Networks firewall running PAN-OS 9.0 or a later release
  • Access to your Palo Alto Networks firewall configuration
  1. Enable EDL.
    1. Navigate to
      gear.png
      Settings
      EDL
      .
      edl-configuration.png
    2. Enable EDL
      and enter the
      Username
      and
      Password
      that the Palo Alto Networks firewall should use to access the Cortex XDR EDL.
  2. Record the
    IP Addresses EDL URL
    and the
    Domains EDL URL
    . You will need these URLs in the coming steps to point the firewall to these lists.
    Test the URLs in a browser to confirm that they are active.
  3. Save
    the EDL configuration.
  4. Enable the firewall to authenticate the Cortex XDR EDL.
    1. Download and save the following root certificate: https://certs.godaddy.com/repository/gd-class2-root.crt.
    2. On the firewall, select
      Device
      Certificate Management
      Certificates
      and
      Import
      the certificate. Make sure to give the device certificate a descriptive name, and select
      OK
      to save the certificate.
      block-list-cert.png
    3. Select
      Device
      Certificate Management
      Certificate Profile
      and
      Add
      a new certificate profile.
    4. Give the profile a descriptive name and
      Add
      the certificate to the profile.
      block-list-cert-profile.png
    5. Select
      OK
      to save the certificate profile.
  5. Set the Cortex XDR EDL as the source for a firewall EDL.
    For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
    1. On the firewall, select
      Objects
      External Dynamic Lists
      and
      Add
      a new list.
    2. Define the list
      Type
      as either
      IP List
      or
      Domain List
      .
    3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last step as the list
      Source
      .
    4. Select the
      Certificate Profile
      that you created in the last step.
    5. Select
      Client Authentication
      and enter the username and password that the firewall must use to access the Cortex XDR EDL.
    6. Use the
      Repeat
      field to define how frequently the firewall retrieves the latest list from Cortex XDR.
      block-list-edl.png
    7. Click
      OK
      to add the new EDL.
  6. Select
    Policies
    Security
    and
    Add
    or edit a security policy rule to add the Cortex XDR EDL as match criteria to a security policy rule.
    Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the complete workflow to add an EDL as match criteria to a security policy rule.
    1. Select
      Policies
      Security
      and
      Add
      or edit a security policy rule.
    2. In the
      Destination
      tab, select
      Destination Zone
      and select the external dynamic list as the
      Destination Address
      .
    3. Click
      OK
      to save the security policy rule and
      Commit
      your changes.
      You do not need to perform additional commit or make any subsequent configuration changes for the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR EDL, the firewall will enforce the list most recently retrieved from Cortex XDR.
      You can also use the Cortex XDR domain list as part of a URL Filtering profile or as an object in a custom Anti-Spyware profile; when attached to a security policy rule, a URL Filtering profile allows you to granularly control user access to the domains on the list.
  7. Add an IP address or Domain to your EDL.
    You can add to your IP address or Domain lists as you triage alerts from the
    Action Center
    or throughout the Cortex XDR management console.
    Make sure EDL sizes don’t exceed your firewall model limit.
    To add an IP address or Domain from the Action Center, Initiate an Endpoint Action to
    Add to EDL
    . You can choose to enter the IP address or Domain you want to add
    Manually
    or choose to
    Upload File
    .
    During investigation, you can also
    Add to EDL
    from the
    Actions
    menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher.
  8. At any time, you can view and make changes to the IP addresses and domain names lists.
    1. Navigate to
      Response
      Action Center
      EDL
      .
      edl-manage.png
    2. Review your IP addresses and domain names lists.
    3. If desired, select
      New Action
      to add additional IP addresses and domain names.
    4. If desired, select one or more IP addresses or domain names, right-click and
      Delete
      any entries that you no longer want included on the lists.

Recommended For You