Managing dynamic threat indicators across firewalls can be challenging—especially when you’re juggling multiple sources of threat intelligence. Palo Alto Networks simplifies this with its EDL Hosting Service, which provides curated, hosted lists of SaaS-related domains, URLs, and IPs that your firewalls can consume directly.
What is an External Dynamic List (EDL)?
An External Dynamic List (EDL) is a file containing IP addresses, domains, or URLs that your Palo Alto firewall can reference dynamically. These lists can be used in security policies to block or allow traffic based on external intelligence or specific needs.
Common use cases for EDLs include:
- Blocking known malicious IP addresses or domains
- Allowlisting cloud-based services like Microsoft 365 or Zoom
- Centralizing security policy enforcement across distributed environments
What is the EDL Hosting Service?
The EDL Hosting Service is a cloud-based platform provided by Palo Alto Networks that hosts and maintains curated EDLs for commonly used SaaS applications. Instead of creating and maintaining your own lists, you can subscribe your firewall to Palo Alto’s hosted URLs.
Key benefits include:
- No infrastructure needed — Palo Alto hosts the lists
- Delivered over HTTPS with certificate validation
- Regularly updated by Palo Alto
- Simple integration with PAN-OS firewalls
How It Works
Here’s how you can start using the EDL Hosting Service:
- Go to the official documentation here: Palo Alto EDL Hosting Service Docs
- Choose the SaaS application you want to allow or monitor (e.g., Microsoft 365)
- Copy the appropriate feed URL (domain, IP, or URL list)
- In your firewall, navigate to Objects > External Dynamic Lists
- Create a new EDL and paste the URL from the documentation
- Apply the EDL in your security policies to allow or block traffic
Example Use Case: Allowing Microsoft 365
Let’s say you only want to allow traffic to Microsoft 365 services. Instead of tracking domains manually, just grab the domain-based EDL from Palo Alto’s list and create a security rule that allows traffic to entries in that list.
Best Practices
- Use the certificate profile to validate HTTPS sources
- Set the update frequency based on how often the list changes (e.g., daily)
- Use clear naming conventions like
edl_ms365_domains - Monitor logs to verify traffic matches expected EDL behavior
Security Considerations
- The lists are maintained by Palo Alto and served over HTTPS
- EDLs are read-only — you cannot upload custom lists to the EDL Hosting Service
- If you need to host your own custom EDLs, you’ll need to use an internal web server or cloud bucket (e.g., AWS S3)
Final Thoughts
With the EDL Hosting Service, Palo Alto makes it easier to implement dynamic access control using trusted, curated feeds. It’s a low-maintenance, high-impact way to keep your security posture up to date—especially when dealing with ever-changing SaaS environments.
Start here: https://docs.paloaltonetworks.com/resources/edl-hosting-service