Many SaaS Applications, Microsoft 365 being one great example, publish a list of endpoints that firewall rules must allow connectivity to in order for the services to function properly.
As part of our security best practices, we have always recommended that a security policy should not only restrict access based on App-ID (for example, ms-office365), but also by the application’s destination endpoints (ip/domains).
However, the endpoint list in some cases is dynamic ( Microsoft updates its M365 endpoints on a periodic basis).
Keeping up with the changes and updating your policies in accordance with that becomes challenging. And that often leads to administrators configuring the policy with a destination of “any” and loosening up the access.
Additionally, there might be cases where you want to preferentially treat traffic going to certain endpoints. Examples would be bypassing SSL decryption for Optimized endpoints as Microsoft recommends here or providing QoS priority to ‘OneDrive’ endpoints.
Again, the challenge to keep up with the changing endpoint list remains.
External Dynamic Lists
PAN-OS has always had support for External Dynamic Lists (EDLs) which are tailor-made for such use cases. EDLs are configurable objects on PAN-OS that can be referenced within policies to represent a list of IPs (or URLs). The list membership is dynamic and PAN-OS will, based on a configurable frequency, check for updates to the list from the specified source to keep the object updated.
Now all we need is a “source” from which endpoint lists can be consumed.
Introducing the EDL Hosting Service
EDL Hosting Service is a globally available Palo Alto Networks-managed service that hosts curated lists which can be consumed by any Palo Alto Networks NGFW (including Prisma Access) in the form of EDLs. An admin only has to configure the EDL and point it to a source URL the EDL Hosting Service provides for the feed of interest. This is a one-time setup.
With the current release, the service provides hosting for All Microsoft 365 endpoints organized into categories you can easily scan and choose from based on what’s relevant to you.
EDLs also provide support for adding your custom exceptions to these lists and give you full control.
The service keeps up with all updates from Microsoft and categorizes the feeds into multiple lists based on either the:
Region : Worldwide, Germany, 21 Vianet (China), US Gov DoD, US Gov GCC-High
Service Areas : Exchange Online, Sharepoint and OneDrive, Skype and Teams, Any (includes all service areas)
Category : Optimize, Allow, Default, All (includes all three categories)
Type : IPv4, IPv6, URL
The EDLs automatically stay updated from the hosted feeds,and policies do not have to be touched once configured.
You can refer to the documentation here for more details on how to leverage this service in helping you safely enable Microsoft 365.
... View more