Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Is it possbile to use an EDL in GW split tunnel config?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is it possbile to use an EDL in GW split tunnel config?

L0 Member

Hey guys,

 

As the title suggests; is it possible to use an EDL in split-tunnel config?  I'd like to be able to use Minemeld to grab Office 365 IPs & URLs.

 

Thanks in advance

2 accepted solutions

Accepted Solutions

were you even able to create an EDL with that zoom link? When I attempt to, I get 1 address of 0.0.0.0/32

 

View solution in original post

6 REPLIES 6

L2 Linker

Unfortunately, you cannot use EDLs in split tunneling. You can use address objects and address groups. 

 

 

L6 Presenter

This should be added as  I don't know if anyone has seen that now zoom and office 365 have autodiscover URL for the source ip addresses and maybe Palo Alto may need to include the use of External Dynamic Lists (EDL) in the Globalprotect VPN split tunnel:

 

https://assets.zoom.us/docs/ipranges/Zoom.txt

 

 

were you even able to create an EDL with that zoom link? When I attempt to, I get 1 address of 0.0.0.0/32

 

Unfortunately, using EDLs for split tunneling is not supported per previous threads.

https://live.paloaltonetworks.com/t5/general-topics/dynamically-update-microsoft-office-urls-and-ips...

By this "This should be added" I meant that it is not possible in the current software but it seems to me like an easy fix with RFE (https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40... ) to palo alto as Palo Alto has some premade EDL lists and they can feed the data after processing it  through their EDL service for Office 365 (https://docs.paloaltonetworks.com/resources/edl-hosting-service ) as they already do  ( https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/... ) or as @dmuirhead  mentioned to use minemeld or misp as a free solution but as mentioned as of now EDL can't be used for split-tunnel. For Zoom you will need to do this using minemeld/misp as it is not available as EDL in the SaaS EDL service but you can check with Palo Alto.  Sorry for misunderstanding me as I admit I was not very clear 🙂 

 

For now maybe split-tunnel based on application would have been possible workaround if an agent was installed on the PC but this is not the case with many (maybe a good option for the zoom app but not for web access or office 365) https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split... . Also using wildcard domains may work but then if the Palo Alto resolves the destination domain to a different ip address using its own DNS resolution than the client DNS resolution as this could happen with modern DNS systems this can be an issue but maybe if the Palo Alto is the DNS proxy for the clients if possible this could make certain that the same DNS will be resolved to the same ip address. I had in one company this issue and this is why we did not use domains with wildcard but we never tested if the DNS proxy feature is used will this issue be seen again, but it could be worth it https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK

 

 

Still as palo alto's suggestion https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-optimizing-office-365-traf... an automation can be created that updates the firewalls using REST-API or Palo Alto XSOAR could be tested to retrive the list and feed it to the firewalls as an Address Object as there is a trial community edition for XSOAR it could be tested.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/get-started-with-the-pan-os-rest-ap...

 

https://xsoar.pan.dev/docs/reference/integrations/panorama

 

https://start.paloaltonetworks.com/sign-up-for-community-edition.html

 

XSOAR can fetch the zoom and office 365 lists format them and feed it to the firewalls!

 

https://xsoar.pan.dev/docs/reference/integrations/zoom-feed

 

https://xsoar.pan.dev/docs/reference/integrations/office-365-feed

 

XSOAR is the next minemeld:

 

https://xsoar.pan.dev/docs/reference/articles/minemeld-migration

 

 

 

Also Ansible or Terraform can be tested as they are free and much better than a python script as they willl not change the config even when the automation is triggered if there is no real change to the address list but still XSOAR will provide more options expecially for getting the feed lists and feeding them to the Palo Alto firewalls as EDL or Address objects (it can also feed url/fqdn objects but I think even the latest versions of palo alto PAN-OS can't use fqdn objects for split-tunnel):

 

https://ansible-pan.readthedocs.io/en/latest/modules/panos_address_object_module.html

 

https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs/resources/address_object

 

L2 Linker

EDL is not supported for GlobalProtect users, however we can create an external resource stored on a web-server to make the end user globalprotect to download it and manage it such as an EDL,  here's the documentation: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host...

Senior Network Security Engineer
PCNSE | CCNP | JNCIP
  • 2 accepted solutions
  • 6463 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!