https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/how-the-edl-hosting-service-helps-to-safely-enable-m365/ta-p/408765 <DIV class="lia-message-template-content-zone"> <P><SPAN style="font-weight: 400;">Many SaaS Applications, Microsoft 365 being one great example, publish a list of endpoints that firewall rules must allow connectivity to in order for the services to function properly.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">However, the endpoint list in some cases is dynamic ( Microsoft updates its M365 endpoints on a periodic basis).&nbsp;</SPAN></P> <P><SPAN style="font-weight: 400;">Keeping up with the changes and updating your policies in accordance with that becomes challenging. And that often leads to administrators configuring the policy with a destination of “any” and loosening up the access.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">Additionally, there might be&nbsp; cases where you want to preferentially treat traffic going to certain endpoints. Examples would be bypassing SSL decryption for Optimized endpoints as Microsoft recommends </SPAN><A href="https://docs.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-network-connectivity-principles?view=o365-worldwide#new-office-365-endpoint-categories" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">here</SPAN></A><SPAN style="font-weight: 400;"> or providing QoS priority to ‘OneDrive’ endpoints.</SPAN></P> <P><SPAN style="font-weight: 400;">Again, the challenge to keep up with the changing endpoint list remains.&nbsp;</SPAN></P> <H4>&nbsp;</H4> <H4><SPAN style="font-weight: 400;">External Dynamic Lists</SPAN></H4> <P><SPAN style="font-weight: 400;">PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Now all we need is a “source” from which endpoint lists can be consumed.</STRONG></P> <H2>&nbsp;</H2> <H2><SPAN style="font-weight: 400;">Introducing the EDL Hosting Service</SPAN></H2> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts&nbsp; curated lists which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">With the current release, the service provides hosting for All </SPAN><STRONG>Microsoft 365</STRONG><SPAN style="font-weight: 400;"> endpoints organized into categories you can easily scan and choose from based on what’s relevant to you.</SPAN></P> <P><SPAN style="font-weight: 400;">EDLs also provide support for adding your custom exceptions to these lists and give you full control.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">The service keeps up with all updates from Microsoft and categorizes the feeds into multiple lists based on either the:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG><I>Region</I></STRONG><SPAN style="font-weight: 400;">: Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG><I>Service Areas</I></STRONG><SPAN style="font-weight: 400;">: Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas)</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG><I>Category</I></STRONG><SPAN style="font-weight: 400;">: Optimize, Allow, Default, All (includes all three categories)</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG><I>Type</I></STRONG><SPAN style="font-weight: 400;">: IPv4, IPv6, URL</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">The EDLs automatically stay updated from the hosted feeds,and policies do not have to be touched once configured.</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-weight: 400;">You can refer to the documentation </SPAN><A href="https://docs.paloaltonetworks.com/resources/edl-hosting-service.html" target="_blank" rel="noopener"><SPAN style="font-weight: 400;">here</SPAN></A><SPAN style="font-weight: 400;"> for more details on how to leverage this service in helping you safely enable Microsoft 365.&nbsp;</SPAN></P> </DIV> Thu, 27 May 2021 21:48:53 GMT dhshah 2021-05-27T21:48:53Z https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/how-the-edl-hosting-service-helps-to-safely-enable-m365/ta-p/408765 <P>Check out how the newly introduced EDL Hosting service can help with safely enabling Microsoft 365 in your environment.</P> Thu, 27 May 2021 21:48:53 GMT https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/how-the-edl-hosting-service-helps-to-safely-enable-m365/ta-p/408765 dhshah 2021-05-27T21:48:53Z https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/how-the-edl-hosting-service-helps-to-safely-enable-m365/tac-p/1223791#M10 <P>is there any option to select US region specifically</P> <P>&nbsp;</P> Thu, 13 Mar 2025 17:17:51 GMT https://live.paloaltonetworks.com/t5/prisma-access-cloud-management/how-the-edl-hosting-service-helps-to-safely-enable-m365/tac-p/1223791#M10 spavanilatha 2025-03-13T17:17:51Z