The EDL Hosting Service for Application Endpoint Management
SaaS providers publish lists of the IP addresses and URL endpoints their SaaS
applications use, and frequently update these lists. Palo Alto Networks hosts
these lists for you, and you can reference them in policy.
For Microsoft 365, you can subscribe to
endpoint lists directly from Prisma Access Cloud Management
(including optional and required lists). Sometimes, the EDL Hosting Service releases support for SaaS
providers and endpoint list feeds that is not yet available directly in Prisma
Access Cloud Management. To enforce policy for application endpoints from these
SaaS providers—including Azure, Amazon Web Services (AWS), Google Cloud Platform
(GCP), Salesforce (SFDC) public endpoints, Microsoft Defender, Zoom, and
GitHub—you can create an external dynamic list based on the feed URL.
Microsoft publishes lists of the IP addresses
and URL endpoints their SaaS applications use, and frequently updates
these lists.
Palo Alto Networks hosts these lists for you,
and from within Prisma Access, you can subscribe to the lists that
are relevant to you (including optional and required lists). You
can use the lists you’re subscribe to in policy. As Microsoft refreshes
their endpoint lists, your policy dynamically enforces the latest
version of the list; there’s no need for you to monitor list changes
or make manual policy updates to catch the latest updates.
Subscribe to an endpoint list
Edit Microsoft 365 settings and go to
Endpoint
Lists
.
Select
Customize Subscription
and choose the
endpoint lists you want to subscribe to, based on the services
you’re using and the list type (IPv4, IPv6, or URL).
Add the endpoint list to a security policy rule
Your subscribed lists are available for you to use as match
criteria in a security policy rule.
Go to
Manage
Configuration
NGFW and Prisma Access
Security Services
Security Policy
and add or edit a rule.
Add
SaaS Application Endpoint
lists as
match criteria for the rule.
Microsoft 365 Tenant Restrictions
Tenant restrictions give you a way limit app
usage to enterprise accounts (stop users from accessing their personal
Microsoft accounts on the company network). To put tenant restrictions
in place:
Specify the Microsoft 365 tenants to which you want
to allow access.
Specify the Microsoft 365 domains and tenants
to which you want to allow access.
Add the tenant restrictions to a security policy rule.
While you can add tenant restrictions to a security policy
rule directly from the Microsoft 365 settings here, any tenant restrictions
you’ve configured can also be easily added to new and existing security
policy rules:
Google Apps
Prisma Access gives you simple, centralized management
for your SaaS applications, including Google apps.
Prisma Access gives you simple, centralized management for your SaaS applications –
including Google apps – and you can enforce application traffic differently for
personal and enterprise versions of the apps. For example, you can safely enable
Google apps on your company network by restricting employees on managed devices to
Google enterprise accounts, and block or limit access to personal Google
accounts.
The EDL Hosting Service releases
support for SaaS providers and endpoint list feeds that are not
yet available directly in Prisma Access Cloud Management. To enforce
policy for Google Cloud Platform (GCP) endpoints, you can create
an external dynamic list based on the feed URL. Learn more about the EDL Hosting
Service
To enable tenant restrictions for Google
apps:
Go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope,
go to
Objects
SaaS App Management
, and edit
Google Apps
settings.
Add approved domains and tenants for your users to access
Assign the tenant restrictions to a security policy rule
While you can add tenant restrictions to a security policy
rule directly from the Google app settings here, all tenant restrictions
you’ve configured for SaaS apps are available to you when you’re
editing or creating security policy rules:
Dropbox
Prisma Access gives you simple, centralized management
for your SaaS applications, including Dropbox.
Prisma Access gives you simple, centralized
management for your SaaS applications, including Dropbox. You can
safely enable Dropbox on your company network by restricting usage
only to enterprise accounts.
Go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope, go
to
Objects
SaaS App Management
, and edit
Dropbox
settings.
To enable tenant
restrictions:
Add approved domains and tenants for your users
to access
Assign the tenant restrictions to a security policy rule
While you can add tenant restrictions to a security policy
rule directly from the Dropbox settings here, all tenant restrictions
you’ve configured for SaaS apps are available to you when you’re
editing or creating security policy rules:
YouTube
Prisma Access gives you simple, centralized management
for your SaaS applications, including YouTube.
Prisma Access gives you simple, centralized
management for your SaaS applications, including YouTube. For YouTube,
you can enforce Safe Search settings.
Go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope, go
to
Objects
SaaS App Management
, and edit
YouTube
settings.
To
enforce Safe Search for YouTube:
Add the domains for which you want to enforce
Safe Search
Add the Safe Search settings to a security policy rule
While you can add safe search to a security policy rule
directly from the YouTube settings here, the settings you’ve configured
for SaaS apps are also available to you when you’re editing or creating
security policy rules: