topic Re: Combining IP and URL EDL on Rules in General Topics

Combining IP and URL EDL on Rules

roryschmitz — Fri, 17 Oct 2025 20:02:41 GMT

Hello,

We're adding the Microsoft 365 EDLs from here: EDL Hosting Service. The goal is to allow access to all M365 IPs and URLs outbound.

What's best practice if I have two separate EDLs, one for IPs and one for URLs? I see that IP-based EDLs can be used in the Destination portion of the rule, and URLs appear to be only selectable in the Service/URL Category. Can we combine these onto one rule or would we require multiple?

Any advice would be appreciated.

Re: Combining IP and URL EDL on Rules

JayGolf — Fri, 17 Oct 2025 22:42:33 GMT

Hi @roryschmitz ,

Great question! Just a heads up, If you were to combine an IP EDL in the destination and a URL EDL in the URL category of a single rule, the traffic would need to match both the destination IP address from the IP EDL *AND* the URL from the URL EDL for that rule to be applied.

In your scenario, the best practice would be to create 2 separate Security Policies that reference the IP EDL and the URL/Domain. EDL.

Re: Combining IP and URL EDL on Rules

roryschmitz — Sat, 18 Oct 2025 00:43:38 GMT

Thanks for that! Is it preferable to also add the respective Palo applications to the rules as well (i.e. OneDrive, Microsoft-base, etc) to restrict it down or keep it more open by leaving it as application-default?

Re: Combining IP and URL EDL on Rules

runyons — Thu, 04 Dec 2025 14:07:12 GMT

Don't use "application-default" in a block rule. In a block rule, if you specify "application-default", then any traffic that is on off-ports will not be blocked. For this reason, the ports in the block rule must be set to "any" if your intent is to block all traffic. "application-default" is really meant for allow rules.

Re: Combining IP and URL EDL on Rules

roryschmitz — Mon, 08 Dec 2025 15:39:45 GMT

Thank you for the clarification on application-defaults and the rule types. Much appreciated.