How the EDL Hosting Service Helps to Safely Enable M365

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker
No ratings

Many SaaS Applications, Microsoft 365 being one great example, publish a list of endpoints that firewall rules must allow connectivity to in order for the services to function properly.  

 

As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).

 

However, the endpoint list in some cases is dynamic ( Microsoft updates its M365 endpoints on a periodic basis). 

Keeping up with the changes and updating your policies in accordance with that becomes challenging. And that often leads to administrators configuring the policy with a destination of “any” and loosening up the access.

 

Additionally, there might be  cases where you want to preferentially treat traffic going to certain endpoints. Examples would be bypassing SSL decryption for Optimized endpoints as Microsoft recommends here or providing QoS priority to ‘OneDrive’ endpoints.

Again, the challenge to keep up with the changing endpoint list remains. 

 

External Dynamic Lists

PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated. 

 

Now all we need is a “source” from which endpoint lists can be consumed.

 

Introducing the EDL Hosting Service

 

EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts  curated lists which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.

 

With the current release, the service provides hosting for All Microsoft 365 endpoints organized into categories you can easily scan and choose from based on what’s relevant to you.

EDLs also provide support for adding your custom exceptions to these lists and give you full control.

 

The service keeps up with all updates from Microsoft and categorizes the feeds into multiple lists based on either the:

  • Region: Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High
  • Service Areas: Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas)
  • Category: Optimize, Allow, Default, All (includes all three categories)
  • Type: IPv4, IPv6, URL

 

The EDLs automatically stay updated from the hosted feeds,and policies do not have to be touched once configured.

 

You can refer to the documentation here for more details on how to leverage this service in helping you safely enable Microsoft 365. 

Rate this article:
  • 5113 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎05-27-2021 02:48 PM
Updated by: