11-07-2022 07:19 AM
Hi,
Since any third party can spin up a service in a public cloud, does that mean that subnets in https://docs.paloaltonetworks.com/resources/edl-hosting-service is shared between cloud customers and the cloud provider itself? Specifically, my question aims at Azure. I want to use the list, but how can I make sure that the subnet for say Azure Active Directory is only used by MS Azure and not XYZ corporate running their services on Azure?
Decryption is becoming a headache for us for a myriad of MS services running on Azure and elsewhere, but we don't want to open traffic to something that's not vetted.
Thanks
01-08-2023 12:12 AM
As @aleksandar.astardzhiev mentioned this is how it works but you can lock the users to access only the allowed tenants and this way you make certain that you only decrypt the traffic of your company with HTTP header insetion:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJACA4
11-27-2022 01:43 PM
Hi @MehdiRashidi ,
I believe you don't understand the purpose of those lists.
Let me first clarify something - all of the lists available at Palo EDL hosting services are publicly available from the vendors. That Palo is doing it consume these lists, apply some filtering on them and most importantly format them in a way ready to be consumed by Palo FW. So you don't have to do it your self - for example AWS list is originally a JSON structure, with tag for each service and region.
Now these lists contains IP ranges used for different services. From your example Azure Active Directory - this is service that Microsoft provide to their customers. Microsoft doesn't provide you information which IP by which customer is being used (they cannot and they will never would). So if you create rule using EDL for Azure AD, it will allow traffic to the IP range that Azure is using for AD services for all its customers - there is no way to make difference between different Azure tenants using IP addresses only.
01-08-2023 12:12 AM
As @aleksandar.astardzhiev mentioned this is how it works but you can lock the users to access only the allowed tenants and this way you make certain that you only decrypt the traffic of your company with HTTP header insetion:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJACA4
01-08-2023 02:10 AM
Thank you. I thought MS keeps separate IP ranges for their own services from then ones customers using on Azure
01-08-2023 02:11 AM
I suppose this is the most sensible solution. Thank you!
01-09-2023 02:10 AM
Better limit the users as much as possible on the corporate computers, so that you do not have monitor when they use their own services and not the corporate ones. For SSL decryption in the future you can consider solutions like Prisma Access that autoscales as this is something that on-prem firewalls can't do or the new Palo Alto firewalls with a SSL optimization hardware.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
