Prisma Access: End users does not correctly match the configured security policy with the EDL
3653
Created On 12/02/22 00:15 AM - Last Modified 09/11/24 01:33 AM
Symptom
- Custom EDL/PANW hosted EDLs is configured OR SaaS Application Management is enabled.
- End users connection does not correctly match the configured security policy with the EDL.
Environment
- Panorama managed Prisma Access
- Cloud managed Prisma Access
- Custom External Dynamic List (EDL)
Cause
- EDL entries are not downloaded.
- Prisma Access nodes need to initiate the connection from the loopback interface to the configured EDL URL to download the EDL entries.
- A security policy is required to allow the connection from trust (loopback interface) to untrust (Internet).
Resolution
- Configure a security policy with the following rule in the Mobile Users (MU) or Remote Network (RN) Device Group:
- source zone - trust
- source address - infrastructure subnet
- destination zone - untrust
- destination address - EDL URL or EDL IP address
- application - web-browsing or ssl (depending the EDL hosting service)
- service - application-default
- action - allow
- profile setting - apply proper security profile
- Commit the changes.
- Now the user should match the correct security policy with EDL.
- EDL connection source is the loopback interface on Prisma Access nodes.
- The loopback interface will get an IP address from the infrastructure subnet.
- The loopback interface is assigned to trust zone.