topic Re: Is it possbile to use an EDL in GW split tunnel config? in GlobalProtect Discussions

Is it possbile to use an EDL in GW split tunnel config?

dmuirhead — Tue, 23 Jun 2020 16:58:56 GMT

Hey guys,

As the title suggests; is it possible to use an EDL in split-tunnel config? I'd like to be able to use Minemeld to grab Office 365 IPs & URLs.

Thanks in advance

Re: Is it possbile to use an EDL in GW split tunnel config?

domari — Thu, 25 Jun 2020 16:09:47 GMT

Unfortunately, you cannot use EDLs in split tunneling. You can use address objects and address groups.

Re: Is it possbile to use an EDL in GW split tunnel config?

nikoolayy1 — Sun, 13 Mar 2022 09:47:46 GMT

This should be added as I don't know if anyone has seen that now zoom and office 365 have autodiscover URL for the source ip addresses and maybe Palo Alto may need to include the use of External Dynamic Lists (EDL) in the Globalprotect VPN split tunnel:

https://assets.zoom.us/docs/ipranges/Zoom.txt

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7

Re: Is it possbile to use an EDL in GW split tunnel config?

PaulArcellx — Tue, 27 Sep 2022 22:32:52 GMT

were you even able to create an EDL with that zoom link? When I attempt to, I get 1 address of 0.0.0.0/32

Re: Is it possbile to use an EDL in GW split tunnel config?

Adrian_Jensen — Thu, 29 Sep 2022 18:56:43 GMT

Unfortunately, using EDLs for split tunneling is not supported per previous threads.

https://live.paloaltonetworks.com/t5/general-topics/dynamically-update-microsoft-office-urls-and-ips/m-p/514783/highlight/true#M106838

Re: Is it possbile to use an EDL in GW split tunnel config?

nikoolayy1 — Wed, 12 Oct 2022 14:13:33 GMT

By this "This should be added" I meant that it is not possible in the current software but it seems to me like an easy fix with RFE (https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/409590 ) to palo alto as Palo Alto has some premade EDL lists and they can feed the data after processing it through their EDL service for Office 365 (https://docs.paloaltonetworks.com/resources/edl-hosting-service ) as they already do ( https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/ba-p/410972 ) or as @dmuirhead mentioned to use minemeld or misp as a free solution but as mentioned as of now EDL can't be used for split-tunnel. For Zoom you will need to do this using minemeld/misp as it is not available as EDL in the SaaS EDL service but you can check with Palo Alto. Sorry for misunderstanding me as I admit I was not very clear 🙂

For now maybe split-tunnel based on application would have been possible workaround if an agent was installed on the PC but this is not the case with many (maybe a good option for the zoom app but not for web access or office 365) https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application . Also using wildcard domains may work but then if the Palo Alto resolves the destination domain to a different ip address using its own DNS resolution than the client DNS resolution as this could happen with modern DNS systems this can be an issue but maybe if the Palo Alto is the DNS proxy for the clients if possible this could make certain that the same DNS will be resolved to the same ip address. I had in one company this issue and this is why we did not use domains with wildcard but we never tested if the DNS proxy feature is used will this issue be seen again, but it could be worth it https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK

Still as palo alto's suggestion https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-optimizing-office-365-traffic/ta-p/319669 an automation can be created that updates the firewalls using REST-API or Palo Alto XSOAR could be tested to retrive the list and feed it to the firewalls as an Address Object as there is a trial community edition for XSOAR it could be tested.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-api/work-with-address-objects-rest-api

https://xsoar.pan.dev/docs/reference/integrations/panorama

https://start.paloaltonetworks.com/sign-up-for-community-edition.html

XSOAR can fetch the zoom and office 365 lists format them and feed it to the firewalls!

https://xsoar.pan.dev/docs/reference/integrations/zoom-feed

https://xsoar.pan.dev/docs/reference/integrations/office-365-feed

XSOAR is the next minemeld:

https://xsoar.pan.dev/docs/reference/articles/minemeld-migration

Also Ansible or Terraform can be tested as they are free and much better than a python script as they willl not change the config even when the automation is triggered if there is no real change to the address list but still XSOAR will provide more options expecially for getting the feed lists and feeding them to the Palo Alto firewalls as EDL or Address objects (it can also feed url/fqdn objects but I think even the latest versions of palo alto PAN-OS can't use fqdn objects for split-tunnel):

https://ansible-pan.readthedocs.io/en/latest/modules/panos_address_object_module.html

https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs/resources/address_object

Re: Is it possbile to use an EDL in GW split tunnel config?

jfernandez1 — Wed, 27 Mar 2024 16:14:42 GMT

EDL is not supported for GlobalProtect users, however we can create an external resource stored on a web-server to make the end user globalprotect to download it and manage it such as an EDL, here's the documentation: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host-a-split-tunnel-configuration-file-on-a-web-server