Create an External Dynamic List Using the EDL Hosting Service

Configure an External Dynamic List (EDL) for Software-as-a-Service (SaaS) applications.
Some Software-as-a-Service (SaaS) providers publish lists of IP addresses and URLs as destination endpoints for their SaaS applications. SaaS providers frequently update the SaaS applications destination endpoint lists as support grows and the service expands. This requires you to manually monitor the SaaS application endpoints for changes and manually update your policy configuration to ensure connectivity to these critical SaaS applications or set up an external tool to monitor and update your EDLs.
Configure an EDL using the EDL Hosting Service maintained by Palo Alto Networks to ease the operational burden of maintaining an EDL for a SaaS application. The EDL Hosting Service provides publicly available Feed URLs for SaaS application endpoints published by the SaaS application provider. Leveraging a Feed URL as the source in an EDL allows for dynamic enforcement of SaaS application traffic without the need for you to host and maintain your own EDL source.
Palo Alto Networks checks the application Feed URLs published by SaaS providers on a daily basis. For IP based feeds, Palo Alto Networks performs optimizations to combine entries from a continuous netmask and deduplication is performed if endpoints overlap across multiple areas. Additionally, the endpoints for the Microsoft 365 Common and Office Online SaaS application are always added to every Feed URL in the EDL Hosting Service.
Microsoft updates all Microsoft 365 Feed URLs at the end of each calendar month and provides a 30 day advanced notice prior to update. See the official Microsoft 365 Web Services page for more information. The EDL Hosting Service availability status and updates are posted to the Palo Alto Networks Cloud Services Status page.
  1. Visit the EDL Hosting Service and identify the Feed URL for your SaaS application.
    Review the Microsoft 365 documentation for more information which Feed URL is best for your use case. Additionally, consider the SaaS application and location of users accessing the SaaS application when identifying a Feed URL to. For example, if you have a branch in Germany that only needs to access Exchange Online, select a Feed URL from the
    Service Area: Exchange Online
    for
    Germany
    .
    For a policy-based forwarding policy rule, use an IP-based Feed URL.
  2. (
    Best Practices
    ) Create a certificate profile to authenticate the EDL Hosting Service.
    1. Import the GlobalSign Root R1 certificate.
      1. Select
        Device
        Certificate Management
        Certificates
        and
        Import
        a new certificate.
      2. For
        Certificate Type
        , select
        Local
        .
      3. Enter a descriptive
        Certificate Name
        .
      4. For the
        Certificate File
        , select
        Browse
        and select the certificate you converted in the previous step.
      5. For the
        File Format
        , select
        Base64 Encoded Certificate (PEM)
        .
      6. Click
        OK
        .
    2. Create a certificate authority (CA) certificate profile.
      1. Select
        Device
        Certificate Management
        Certificate Profile
        and
        Add
        a new certificate profile.
      2. Enter a descriptive
        Name
        .
      3. For the
        CA Certificates
        ,
        Add
        the certificate you imported in the previous step.
      4. Click
        OK
        .
    3. Commit
      .
  3. Create an EDL using a Feed URL from the EDL Hosting Service.
    1. Select
      Objects
      External Dynamic Lists
      and
      Add
      a new EDL.
    2. Enter a descriptive
      Name
      for the EDL.
    3. Select the EDL
      Type
      .
      • For an IP-based EDL, select
        IP List
        .
      • For a URL-based EDL, select
        URL List
        .
    4. (
      Optional
      ) Enter a
      Description for the EDL
    5. Enter the Feed URL as the EDL
      Source
      .
      Enforce all endpoints within a specific Feed URL. Adding an excluding a specific endpoint from a Feed URL can cause connectivity issues to the SaaS application.
    6. (
      Best Practices
      ) Select the
      Certificate Profile
      you created in the previous step.
    7. Specify the frequency the firewall should
      Check for updates
      to match the update frequency of the Feed URL.
      For example, if the Feed URL is updated daily by Palo Alto Networks then configure the EDL to check for updates
      Daily
      .
      Palo Alto Networks displays the update frequency for each Feed URL in the EDL Hosting Service. Feed URLs are automatically updated with any new endpoints.
    8. Click
      Test Source URL
      to verify that the firewall can access the Feed URL from the EDL Hosting Service.
    9. Click
      OK
      .
  4. When you enforce policy on an EDL from the EDL Hosting Service where the EDL is the source, be specific when configuring which users have access to the SaaS application to avoid over-provisioning access to the application.
    Leverage App-ID alongside EDLs in a policy rule for additional strict enforcement of SaaS application traffic.

Recommended For You