Manage External Dynamic Lists

From the Cortex® XDR™ management console, you can configure and manage your external dynamic lists.
An External Dynamic List (EDL) is a text file hosted on an external web server that your Palo Alto Networks firewall uses to provide control over user access to IP addresses and domains that the Cortex XDR has found to be associated with an alert.
Cortex XDR hosts two external dynamic lists you can configure and manage from the Cortex XDR management console:
  • IP Addresses EDL
  • Domain Names EDL
To maintain an EDL in Cortex XDR, you must meet the following requirements:
  1. Enable EDL.
    1. Navigate to
      External Dynamic List
    2. Enable External Dynamic List
      and enter the
      that the Palo Alto Networks firewall should use to access the Cortex XDR EDL.
  2. Record the
    IP Addresses EDL URL
    and the
    Domains EDL URL
    . You will need these URLs in the coming steps to point the firewall to these lists.
  3. Save
    the EDL configuration.
  4. Enable the firewall to authenticate the Cortex XDR EDL.
    1. Download and save the following root certificate:
    2. On the firewall, select
      Certificate Management
      the certificate. Make sure to give the device certificate a descriptive name, and select
      to save the certificate.
    3. Select
      Certificate Management
      Certificate Profile
      a new certificate profile.
    4. Give the profile a descriptive name and
      the certificate to the profile.
    5. Select
      to save the certificate profile.
  5. Set the Cortex XDR EDL as the source for a firewall EDL.
    For more detailed information about how Palo Alto Networks firewall EDLs work, how you can use EDLs, and how to configure them, review how to Use an External Dynamic List in Policy.
    1. On the firewall, select
      External Dynamic Lists
      a new list.
    2. Define the list
      as either
      IP List
      Domain List
    3. Enter the IP Addresses Block List URL or the Domains Block List URL that you recorded in the last step as the list
    4. Select the
      Certificate Profile
      that you created in the last step.
    5. Select
      Client Authentication
      and enter the username and password that the firewall must use to access the Cortex XDR EDL.
    6. Use the
      field to define how frequently the firewall retrieves the latest list from Cortex XDR.
    7. Click
      to add the new EDL.
  6. Select
    or edit a security policy rule to add the Cortex XDR EDL as match criteria to a security policy rule.
    Review the different ways you can Enforce Policy on an External Dynamic List; this topic describes the complete workflow to add an EDL as match criteria to a security policy rule.
    1. Select
      or edit a security policy rule.
    2. In the
      tab, select
      Destination Zone
      and select the external dynamic list as the
      Destination Address
    3. Click
      to save the security policy rule and
      your changes.
      You do not need to perform additional commit or make any subsequent configuration changes for the firewall to enforce the EDL as part of your security policy; even as you update the Cortex XDR EDL, the firewall will enforce the list most recently retrieved from Cortex XDR.
      You can also use the Cortex XDR domain list as part of a URL Filtering profile or as an object in a custom Anti-Spyware profile; when attached to a security policy rule, a URL Filtering profile allows you to granularly control user access to the domains on the list.
  7. Add an IP address or Domain to your EDL.
    You can add to your IP address or Domain lists as you triage alerts from the
    Action Center
    or throughout the Cortex XDR management console.
    Make sure EDL sizes don’t exceed your firewall model limit.
    To add an IP address or Domain from the Action Center, Initiate an Endpoint Action to
    Add to EDL
    . You can choose to enter the IP address or Domain you want to add
    or choose to
    Upload File
    During investigation, you can also
    Add to EDL
    from the
    menu that is available from investigation pages such as the Incidents View, Causality View, IP View, or Quick Launcher.
  8. At any time, you can view and make changes to the IP addresses and domain names lists.
    1. Navigate to
      Action Center
    2. Review your IP addresses and domain names lists.
    3. If desired, select
      New Action
      to add additional IP addresses and domain names.
    4. If desired, select one or more IP addresses or domain names, right-click and
      any entries that you no longer want included on the lists.

Recommended For You