This provides a number of External Dynamic Lists (EDLs) to be used by a Palo Alto firewall. The following services are supported:
- Microsoft 365.
- Amazon Web Services (AWS).
- Zscaler.
- Google Cloud Platform (GCP).
- Polycom RealConnect.
- Okta.
The script will use a combination of public APIs and DNS queries to return a list of IP addresses for use in an EDL.
- PHP 7 (will probably work with PHP 5).
- cURL module for PHP.
- Apache 2 with mod_rewrite.
- Make outbound web requests (direct or via a proxy).
- Resolve external FQDNs.
- Clone the repository and move somewhere within the web server's document root.
- To have requests cached for 24 hours, make the
cache
directory writeable by the web server (e.g.chown www-data cache && chmod 755 cache
). - If you need to use a proxy to connect to external resources from the web server, edit
functions.inc.php
, find theCURLOPT_PROXY
andCURLOPT_PROXYPORT
options, uncomment them and set them appropriately.
These instructions will work with a vanilla install of Ubuntu 21.04 Server:
- Install packages:
apt install apache2 libapache2-mod-php php-curl
- Enable Apache and PHP modules:
a2enmod rewrite php7.4 ; phpenmod curl
- Edit
/etc/apache2/sites-enabled/000-default.conf
and add to the VirtualHost stanza:
<Directory "/var/www/html">
AllowOverride all
</Directory>
- Restart Apache:
systemctl restart apache2
- Clone repository in to document root:
cd /var/www/html && git clone https://github.com/david-ramsden/paloalto-edl.git
- Enable caching and set proxy, if required (see Installation note #2 and #3 above).
Pull the latest code from the repository using git pull
. This will pull in any new services that get added.
Create an External Dynamic List object on the firewall, where the source URL is: http://your.server/paloalto-edl/<vendor>/<service>
Note: With PAN-OS 8.1, a source URL using HTTPS was problematic. This was fixed in PAN-OS 9.0 and above.
Vendor | Service Required | Services | Optional Parameters |
---|---|---|---|
microsoft | No (will return all services) | common , exchange , sharepoint , skype |
|
aws | No (will return all services) | Refer to services syntax. | region=<region> (refer to region syntax |
gcp | No | google cloud |
scope=<scope> (region such as us-central1) |
zscaler | Yes | cenr , pac , hub |
zscloud=<cloud> (defaults to zscloud.net) |
polycom | No (defaults to global ) |
global , teams , sfb |
|
okta | No (defaults to all groups) | Refer to groups. |
/paloalto-edl/microsoft
will return all IPs and networks for Microsoft 365 services./paloalto-edl/microsoft/exchange
will return IPs and networks for Microsoft 365 Exchange Online service./paloalto-edl/aws/ec2
will return all IPs and networks for AWS EC2 globally./paloalto-edl/aws/s3?region=eu-west-3
will return all IPs and networks for AWS S3 in the eu-west-3 region./paloalto-edl/gcp
will return all IPs and networks for GCP./paloalto-edl/gcp?scope=us-central1
will return all IPs and networks for GCP in the us-central1 region./paloalto-edl/zscaler/hub
will return IPs and networks for Zscaler (zscloud.net) Hub IPs./paloalto-edl/zscaler/cenr?zscloud=zscaler.net
will return IPs and networks for Zscaler (zscaler.net) CENR IPs./paloalto-edl/polycom/teams
will return IPs used for outbound calls to Polycom RealConnect service for Microsoft Teams./paloalto-edl/okta/emea_cell_1
will return IPs used for Production EMEA 1.
- Requests for
microsoft
will only return IPv4 addresses. IPv6 is not requested but this can be changed in the code if required. - Requests for
aws
andgcp
will only return IPv4 addresses.
If you would like to add new vendors and services, please submit a Pull Request with the required code modifications or submit an Issue to make a request.