Manage External Dynamic Lists
Configure and manage your external dynamic lists from the Cortex XDR console.
An External Dynamic List (EDL) is a text file hosted on an external web server that your Palo Alto Networks firewall uses to provide control over user access to IP addresses and domains that the Cortex XDR has found to be associated with an alert.
Cortex XDR hosts two external dynamic lists you can configure and manage from the Cortex XDR management console:
- IP Addresses EDL
- Domain Names EDL
To maintain an EDL in Cortex XDR, you must meet the following requirements:
- Cortex XDR Pro per TB or Cortex Pro per Endpoint license
- AnApp Administrator,Privileged Investigator, orPrivileged Security Adminrole which include EDL permissions
- Palo Alto Networks firewall running PAN-OS 9.0 or a later release
- Access to your Palo Alto Networks firewall configuration
- Enable EDL.
- Navigate to.SettingsEDL
- Enable EDLand enter theUsernameandPasswordthat the Palo Alto Networks firewall should use to access the Cortex XDR EDL.
- Record theIP Addresses EDL URLand theDomains EDL URL. You will need these URLs in the coming steps to point the firewall to these lists.Test the URLs in a browser to confirm that they are active.
- Savethe EDL configuration.
- Enable the firewall to authenticate the Cortex XDR EDL.
- Download and save the following root certificate: https://certs.godaddy.com/repository/gd-class2-root.crt.
- On the firewall, selectandDeviceCertificate ManagementCertificatesImportthe certificate. Make sure to give the device certificate a descriptive name, and selectOKto save the certificate.
- SelectandDeviceCertificate ManagementCertificate ProfileAdda new certificate profile.
- Give the profile a descriptive name andAddthe certificate to the profile.
- SelectOKto save the certificate profile.
- Set the Cortex XDR EDL as the source for a firewall EDL.
- On the firewall, selectandObjectsExternal Dynamic ListsAdda new list.
- Define the listTypeas eitherIP ListorDomain List.
- Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last step as the listSource.
- Select theCertificate Profilethat you created in the last step.
- SelectClient Authenticationand enter the username and password that the firewall must use to access the Cortex XDR EDL.
- Use theRepeatfield to define how frequently the firewall retrieves the latest list from Cortex XDR.
- ClickOKto add the new EDL.
- SelectandPoliciesSecurityAddor edit a security policy rule to add the Cortex XDR EDL as match criteria to a security policy rule.
- SelectandPoliciesSecurityAddor edit a security policy rule.
- In theDestinationtab, selectDestination Zoneand select the external dynamic list as theDestination Address.
- ClickOKto save the security policy rule andCommityour changes.You do not need to perform additional commit or make any subsequent configuration changes for the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR EDL, the firewall will enforce the list most recently retrieved from Cortex XDR.You can also use the Cortex XDR domain list as part of a URL Filtering profile or as an object in a custom Anti-Spyware profile; when attached to a security policy rule, a URL Filtering profile allows you to granularly control user access to the domains on the list.
- Add an IP address or Domain to your EDL.You can add to your IP address or Domain lists as you triage alerts from theAction Centeror throughout the Cortex XDR management console.To add an IP address or Domain from the Action Center, Initiate an Endpoint Action toAdd to EDL. You can choose to enter the IP address or Domain you want to addManuallyor choose toUpload File.During investigation, you can alsoAdd to EDLfrom theActionsmenu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher.
- At any time, you can view and make changes to the IP addresses and domain names lists.
- Navigate to.ResponseAction CenterEDL
- Review your IP addresses and domain names lists.
- If desired, selectNew Actionto add additional IP addresses and domain names.
- If desired, select one or more IP addresses or domain names, right-click andDeleteany entries that you no longer want included on the lists.
Recommended For You
Recommended videos not found.