06-23-2020 09:58 AM
Hey guys,
As the title suggests; is it possible to use an EDL in split-tunnel config? I'd like to be able to use Minemeld to grab Office 365 IPs & URLs.
Thanks in advance
09-27-2022 03:32 PM
were you even able to create an EDL with that zoom link? When I attempt to, I get 1 address of 0.0.0.0/32
09-29-2022 11:56 AM
Unfortunately, using EDLs for split tunneling is not supported per previous threads.
06-25-2020 09:09 AM
Unfortunately, you cannot use EDLs in split tunneling. You can use address objects and address groups.
03-13-2022 01:47 AM
This should be added as I don't know if anyone has seen that now zoom and office 365 have autodiscover URL for the source ip addresses and maybe Palo Alto may need to include the use of External Dynamic Lists (EDL) in the Globalprotect VPN split tunnel:
https://assets.zoom.us/docs/ipranges/Zoom.txt
09-27-2022 03:32 PM
were you even able to create an EDL with that zoom link? When I attempt to, I get 1 address of 0.0.0.0/32
09-29-2022 11:56 AM
Unfortunately, using EDLs for split tunneling is not supported per previous threads.
10-12-2022 02:41 AM - edited 10-12-2022 07:13 AM
By this "This should be added" I meant that it is not possible in the current software but it seems to me like an easy fix with RFE (https://live.paloaltonetworks.com/t5/blogs/how-to-use-palo-alto-networks-new-feature-request/ba-p/40... ) to palo alto as Palo Alto has some premade EDL lists and they can feed the data after processing it through their EDL service for Office 365 (https://docs.paloaltonetworks.com/resources/edl-hosting-service ) as they already do ( https://live.paloaltonetworks.com/t5/blogs/edl-hosting-service-helps-to-safely-enable-microsoft-365/... ) or as @dmuirhead mentioned to use minemeld or misp as a free solution but as mentioned as of now EDL can't be used for split-tunnel. For Zoom you will need to do this using minemeld/misp as it is not available as EDL in the SaaS EDL service but you can check with Palo Alto. Sorry for misunderstanding me as I admit I was not very clear 🙂
For now maybe split-tunnel based on application would have been possible workaround if an agent was installed on the PC but this is not the case with many (maybe a good option for the zoom app but not for web access or office 365) https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split... . Also using wildcard domains may work but then if the Palo Alto resolves the destination domain to a different ip address using its own DNS resolution than the client DNS resolution as this could happen with modern DNS systems this can be an issue but maybe if the Palo Alto is the DNS proxy for the clients if possible this could make certain that the same DNS will be resolved to the same ip address. I had in one company this issue and this is why we did not use domains with wildcard but we never tested if the DNS proxy feature is used will this issue be seen again, but it could be worth it https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK
Still as palo alto's suggestion https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-optimizing-office-365-traf... an automation can be created that updates the firewalls using REST-API or Palo Alto XSOAR could be tested to retrive the list and feed it to the firewalls as an Address Object as there is a trial community edition for XSOAR it could be tested.
https://xsoar.pan.dev/docs/reference/integrations/panorama
https://start.paloaltonetworks.com/sign-up-for-community-edition.html
XSOAR can fetch the zoom and office 365 lists format them and feed it to the firewalls!
https://xsoar.pan.dev/docs/reference/integrations/zoom-feed
https://xsoar.pan.dev/docs/reference/integrations/office-365-feed
XSOAR is the next minemeld:
https://xsoar.pan.dev/docs/reference/articles/minemeld-migration
Also Ansible or Terraform can be tested as they are free and much better than a python script as they willl not change the config even when the automation is triggered if there is no real change to the address list but still XSOAR will provide more options expecially for getting the feed lists and feeding them to the Palo Alto firewalls as EDL or Address objects (it can also feed url/fqdn objects but I think even the latest versions of palo alto PAN-OS can't use fqdn objects for split-tunnel):
https://ansible-pan.readthedocs.io/en/latest/modules/panos_address_object_module.html
https://registry.terraform.io/providers/PaloAltoNetworks/panos/latest/docs/resources/address_object
03-27-2024 09:14 AM
EDL is not supported for GlobalProtect users, however we can create an external resource stored on a web-server to make the end user globalprotect to download it and manage it such as an EDL, here's the documentation: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/host...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
