This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

EDL Hosting Service Helps to Safely Enable Microsoft 365

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

EDL Hosting Service Helps to Safely Enable Microsoft 365

MBhasin
L2 Linker
‎06-08-2021 09:46 AM

EDL-hosting_blog.png

Many SaaS Applications—Microsoft 365 being a great example—require that firewalls allow connectivity to certain endpoints in order for the services to function properly.  

 

As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).

 

However, the published list of endpoints is, in some cases, dynamic (Microsoft updates its M365 endpoints on a periodic basis).  Keeping up with the changes and updating your policies in accordance with that becomes challenging—which often leads to admins configuring the policy with a destination of “any,” loosening up the access.

 

In other cases, you may want to preferentially treat traffic headed to certain endpoints. This might be bypassing SSL decryption for Optimized endpoints (as Microsoft recommends here), or providing QoS priority to ‘OneDrive’ endpoints. Regardless, the challenge to keep up with the changing endpoint list remains. 

 

External Dynamic Lists

PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated. 

 

Now all we need is a “source” from which endpoint lists can be consumed.

 

Introducing the EDL Hosting Service

 

EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts curated lists, which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.

 

With the current release, the service provides hosting for All Microsoft 365 endpoints organized into categories you can easily scan and choose from based on what’s relevant to you. EDLs also provide support for adding your custom exceptions to these lists and give you full control.

 

The service keeps up with all updates from Microsoft and categorizes feeds into multiple lists based on:

  • Region: Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High
  • Service Areas: Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas)
  • Category: Optimize, Allow, Default, All (includes all three categories)
  • Type: IPv4, IPv6, URL

 

External dynamic lists automatically updates, so that policies don't have to be touched once configured.


Want more info on how to leverage this service to help you safely enable Microsoft 365? Read more about Palo Alto Networks' EDL Hosting Service.

  • 22493 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks