Many SaaS Applications—Microsoft 365 being a great example—require that firewalls allow connectivity to certain endpoints in order for the services to function properly.
As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).
However, the published list of endpoints is, in some cases, dynamic (Microsoft updates its M365 endpoints on a periodic basis). Keeping up with the changes and updating your policies in accordance with that becomes challenging—which often leads to admins configuring the policy with a destination of “any,” loosening up the access.
In other cases, you may want to preferentially treat traffic headed to certain endpoints. This might be bypassing SSL decryption for Optimized endpoints (as Microsoft recommends here), or providing QoS priority to ‘OneDrive’ endpoints. Regardless, the challenge to keep up with the changing endpoint list remains.
External Dynamic Lists
PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated.
Now all we need is a “source” from which endpoint lists can be consumed.
Introducing the EDL Hosting Service
EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts curated lists, which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.
With the current release, the service provides hosting for All Microsoft 365 endpoints organized into categories you can easily scan and choose from based on what’s relevant to you. EDLs also provide support for adding your custom exceptions to these lists and give you full control.
The service keeps up with all updates from Microsoft and categorizes feeds into multiple lists based on:
Region: Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High
Service Areas: Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas)
Category: Optimize, Allow, Default, All (includes all three categories)
Type: IPv4, IPv6, URL
External dynamic lists automatically updates, so that policies don't have to be touched once configured.
Want more info on how to leverage this service to help you safely enable Microsoft 365? Read more about Palo Alto Networks' EDL Hosting Service.