Configure an External Dynamic List (EDL) for Software-as-a-Service
(SaaS) applications.
Some Software-as-a-Service
(SaaS) providers publish lists of IP addresses and URLs as destination
endpoints for their SaaS applications. SaaS providers frequently update
the SaaS applications destination endpoint lists as support grows
and the service expands. This requires you to manually monitor the
SaaS application endpoints for changes and manually update your
policy configuration to ensure connectivity to these critical SaaS
applications or set up an external tool to monitor and update your
EDLs.
Configure
an EDL using the
EDL Hosting Service maintained
by Palo Alto Networks to ease the operational burden of maintaining
an EDL for a SaaS application. The EDL Hosting Service provides
publicly available Feed URLs for SaaS application endpoints published
by the SaaS application provider. Leveraging a Feed URL as the source
in an EDL allows for dynamic enforcement of SaaS application traffic
without the need for you to host and maintain your own EDL source.
Palo Alto Networks checks the application Feed URLs published by SaaS providers on a daily basis
and optimizes the IP address information received from SaaS application providers in
order to reduce the number of IP addresses that are published in each EDL. This
optimization includes identifying and removing duplicate IP addresses and then
aggregating the remaining IP addresses into a smaller number of contiguous address
ranges.
Microsoft updates all Microsoft 365 Feed URLs at the end of each calendar month and provides a 30
day advanced notice prior to update. See the
official Microsoft 365 Web Services page
for more information. Additionally, the endpoints for the Microsoft 365 Common and
Office Online SaaS application are always added to every Feed URL in the EDL Hosting
Service.