EDL Hosting Service for public cloud providers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

EDL Hosting Service for public cloud providers

L1 Bithead

Hi,

 

Since any third party can spin up a service in a public cloud, does that mean that subnets in https://docs.paloaltonetworks.com/resources/edl-hosting-service is shared between cloud customers and the cloud provider itself? Specifically, my question aims at Azure. I want to use the list, but how can I make sure that the subnet for say Azure Active Directory is only used by MS Azure and not XYZ corporate running their services on Azure?

 

Decryption is becoming a headache for us for a myriad of MS services running on Azure and elsewhere, but we don't want to open traffic to something that's not vetted.

 

Thanks

1 accepted solution

Accepted Solutions

L6 Presenter

As @aleksandar.astardzhiev  mentioned this is how it works but you can lock the users to access only the allowed tenants and this way you make certain that you only decrypt the traffic of your company with HTTP header insetion:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJACA4

 

View solution in original post

5 REPLIES 5

Hi @MehdiRashidi ,

 

I believe you don't understand the purpose of those lists.

Let me first clarify something - all of the lists available at Palo EDL hosting services are publicly available from the vendors. That Palo is doing it consume these lists, apply some filtering on them and most importantly format them in a way ready to be consumed by Palo FW. So you don't have to do it your self - for example AWS list is originally a JSON structure, with tag for each service and region.

 

Now these lists contains IP ranges used for different services. From your example Azure Active Directory - this is service that Microsoft provide to their customers. Microsoft doesn't provide you information which IP by which customer is being used (they cannot and they will never would). So if you create rule using EDL for Azure AD, it will allow traffic to the IP range that Azure is using for AD services for all its customers - there is no way to make difference between different Azure tenants using IP addresses only.

L6 Presenter

As @aleksandar.astardzhiev  mentioned this is how it works but you can lock the users to access only the allowed tenants and this way you make certain that you only decrypt the traffic of your company with HTTP header insetion:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJACA4

 

Thank you. I thought MS keeps separate IP ranges for their own services from then ones customers using on Azure

I suppose this is the most sensible solution. Thank you!

Better limit the users as much as possible on the corporate computers, so that you do not have monitor when they use their own services and not the corporate ones. For SSL decryption in the future you can consider solutions like Prisma Access that autoscales as this is something that on-prem firewalls can't do or the new Palo Alto firewalls with a SSL optimization hardware.

  • 1 accepted solution
  • 5517 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!