https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-lists-requires-quot-google-app-engine-quot/m-p/148828#M49655 <P>Greetings</P><P>&nbsp;</P><P>On PAN-OS 7.1.8 configuring EDL is giving some unexpected results -</P><P>&nbsp;</P><P>I have an application based security policie set for my PA management IP addresses to fetch the updates i.e. "paloalto-updates, widlfire, pan-db-cloud, ssl and web-browsing" with service set to application default. &nbsp;No profile actions set to block.</P><P>&nbsp;</P><P>After populating the EDL with the lists from&nbsp;<A href="http://panwdbl.appspot.com" target="_blank">http://panwdbl.appspot.com</A>, I went on to one of the added lists and tried "Test Source URL" and the return message was <STRONG>"URL access error"</STRONG>.</P><P>&nbsp;</P><P>As a test,</P><P>&nbsp;</P><P>- Set the service route configuration to use my external interface - <STRONG>"URL access error"</STRONG></P><P>&nbsp;</P><P>- Then created an open policy for the management IP addresses with "any" "any" and the test source URL works returning <STRONG>"source URL is accessbile"</STRONG>.</P><P>&nbsp;</P><P>Looking at the logs, I noticed the session to start on web-browsing and then move to "google-app-engine" when contacting 216.58.198.244 (panwdbl.appspot.com/lists).</P><P>&nbsp;</P><P>So deleted my wide open policy and amended the application based policy by adding "google-app-engine", set my service route back to use the management interface. &nbsp;Commit the configuration and <STRONG><FONT color="#008000">it works</FONT>. &nbsp;</STRONG>Google-app-engine's default ports are TCP 443 and 80</P><P>&nbsp;</P><P>Looking in to the logs, it uses "google-app-engine" to speak to the website -<STRONG> is this expected behaviour?</STRONG></P><P>I find this to be abnormal unless I have missed a very basic point somewhere.</P><P>&nbsp;</P><P>Any ideas / thoughts will be helpful.</P><P>&nbsp;</P><P>Thanks</P><P>KP</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Mar 2017 12:49:38 GMT kalyanram.piratla 2017-03-22T12:49:38Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-lists-requires-quot-google-app-engine-quot/m-p/148828#M49655 <P>Greetings</P><P>&nbsp;</P><P>On PAN-OS 7.1.8 configuring EDL is giving some unexpected results -</P><P>&nbsp;</P><P>I have an application based security policie set for my PA management IP addresses to fetch the updates i.e. "paloalto-updates, widlfire, pan-db-cloud, ssl and web-browsing" with service set to application default. &nbsp;No profile actions set to block.</P><P>&nbsp;</P><P>After populating the EDL with the lists from&nbsp;<A href="http://panwdbl.appspot.com" target="_blank">http://panwdbl.appspot.com</A>, I went on to one of the added lists and tried "Test Source URL" and the return message was <STRONG>"URL access error"</STRONG>.</P><P>&nbsp;</P><P>As a test,</P><P>&nbsp;</P><P>- Set the service route configuration to use my external interface - <STRONG>"URL access error"</STRONG></P><P>&nbsp;</P><P>- Then created an open policy for the management IP addresses with "any" "any" and the test source URL works returning <STRONG>"source URL is accessbile"</STRONG>.</P><P>&nbsp;</P><P>Looking at the logs, I noticed the session to start on web-browsing and then move to "google-app-engine" when contacting 216.58.198.244 (panwdbl.appspot.com/lists).</P><P>&nbsp;</P><P>So deleted my wide open policy and amended the application based policy by adding "google-app-engine", set my service route back to use the management interface. &nbsp;Commit the configuration and <STRONG><FONT color="#008000">it works</FONT>. &nbsp;</STRONG>Google-app-engine's default ports are TCP 443 and 80</P><P>&nbsp;</P><P>Looking in to the logs, it uses "google-app-engine" to speak to the website -<STRONG> is this expected behaviour?</STRONG></P><P>I find this to be abnormal unless I have missed a very basic point somewhere.</P><P>&nbsp;</P><P>Any ideas / thoughts will be helpful.</P><P>&nbsp;</P><P>Thanks</P><P>KP</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 22 Mar 2017 12:49:38 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-lists-requires-quot-google-app-engine-quot/m-p/148828#M49655 kalyanram.piratla 2017-03-22T12:49:38Z https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-lists-requires-quot-google-app-engine-quot/m-p/148834#M49659 <P>"<SPAN>Google App Engine is a platform for developing and hosting web applications in Google-managed data centers."</SPAN></P><P>&nbsp;</P><P><SPAN>This is to be expected as that is what the website is built upon. I'm not positive if it's supposed to hit that app id but looking through my logs I can see that plenty of my users get the same ID when accessing websites hosted on the platform.&nbsp;</SPAN></P> Wed, 22 Mar 2017 13:20:04 GMT https://live.paloaltonetworks.com/t5/general-topics/external-dynamic-lists-requires-quot-google-app-engine-quot/m-p/148834#M49659 BPry 2017-03-22T13:20:04Z