Network Security
Create an External Dynamic List Using the EDL Hosting Service (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Create an External Dynamic List Using the EDL Hosting Service (Strata Cloud Manager)
Leveraging a Feed URL as the source in an EDL allows for dynamic enforcement of SaaS
application traffic without the need for you to host and maintain your own EDL source.
- Visit the EDL Hosting Service and identify the
Feed URL for your SaaS application.Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from the Service Area: Exchange Online for Germany.For a policy-based forwarding policy rule, use an IP-based Feed URL.
- (Best Practices) Create a certificate profile to authenticate the EDL
Hosting Service.
- Download the GlobalSign Root R1 certificate.
- Convert the GlobalSign Root R1 Certificate to PEM Format.
- Import the GlobalSign Root R1 certificate.
-
Select ManageNGFW and Prisma AccessObjectsCertificate ManagementCustom Certificates and Import a new custom certificate.
-
Enter a descriptive Certificate Name.
-
For the Certificate File, select Browse and select the certificate you converted in the previous step.
-
For the Format, select Base64 Encoded Certificate (PEM).
-
Select Save.
-
- Create a certificate authority (CA) certificate profile.
-
Select ManageNGFW and Prisma AccessObjectsCertificate ManagementCertificate Profiles and Add Profile.
-
Enter a descriptive Name.
-
For the CA Certificates, Add the certificate you imported in the previous step.
-
Select Save.
-
- Select Push Config.
- Create an EDL using a Feed URL from the EDL Hosting Service.
- Select ManageNGFW and Prisma AccessObjectsExternal Dynamic Lists and Add External Dynamic List.
- Enter a descriptive Name for the EDL.
- Select the EDL Type.
-
For an IP-based EDL, select IP List.
-
For a URL-based EDL, select URL List.
-
- (Optional) Enter a Description for the EDL
- Enter the Feed URL as the EDL Source.Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
- (Best Practices) Select the Certificate Profile you created in the previous step.
- Specify the frequency your environment should Check for
updates to match the update frequency of the Feed
URL.For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updates Daily.Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
- Select Save.
- Enforce Policy on an External Dynamic List.When you enforce policy on an EDL from the EDL Hosting Service where the EDL is the source, be specific when configuring which users have access to the SaaS application to avoid over-provisioning access to the application.Leverage App-ID alongside EDLs in a security rule for additional strict enforcement of SaaS application traffic.