Palo Alto Networks

PAN-OS External Dynamic List Installation

Configure the approved KDC IP, domain, and URL feed details as PAN-OS EDL objects and attach them to security controls.

IntegrationIP, Domain, and URL EDLAccessPrivate connection details after approval
Controlled access

Apply to use KDC's secure feed infrastructure

KDC USOM Feed Service is available only to reviewed and approved organizations. Submit your organization, firewall, and source public IP details through the application form. After technical review and approval, your dedicated connection IP/FQDN, port, feed URLs, and vendor-specific settings are delivered through a secure channel.

View the application process
1. Requirements

Before installation

PAN-OS administrative accessEDL, certificate profile, policy, and commit permissions.
Source public IPThe actual internet egress address used for EDL retrieval.
DNS and TLSThe KDC-provided FQDN and certificate chain must validate.
KDC approvalConnection details are provided only after application approval.
2. Network route

Service route and source IP

  1. Open Device → Setup → Services → Service Route Configuration.
  2. Confirm the interface and source IP used for External Dynamic List retrieval.
  3. Enter the actual post-NAT public IP in the application form.
  4. Allow outbound access to the destination and port specified in the KDC approval document.

A browser test from another device is not valid when it does not use the same public egress IP as the firewall service route.

3. TLS security

Create a Certificate Profile

  1. Go to Device → Certificate Management → Certificate Profile.
  2. Create a profile named KDC-USOM-EDL-TLS.
  3. Add the root and intermediate CA certificates specified in the KDC connection document.
  4. Use the same profile for every KDC EDL object.

Do not disable server authentication. For certificate errors, check the CA chain, hostname, and firewall clock first.

4. EDL objects

Create three separate lists

Use Objects → External Dynamic Lists → Add. Actual URL values are delivered by KDC after approval.

Object nameTypeSource
KDC-USOM-IPIP ListIP Feed URL from the KDC approval document
KDC-USOM-DOMAINDomain ListDomain Feed URL from the KDC approval document
KDC-USOM-URLURL ListURL Feed URL from the KDC approval document
  • Certificate Profile: KDC-USOM-EDL-TLS
  • Initial update interval: Hourly
  • Use Test Source URL, when available, before saving.
  • Complete the commit afterward.
5. Policy

Deploy in a controlled scope

  • Use the IP list as Source Address for inbound rules or Destination Address for outbound rules.
  • Use the URL list as a URL Category in Security Policy or URL Filtering.
  • Attach the domain list to the appropriate DNS security or Anti-Spyware control.
  • Start with a limited scope, logging, and a documented exception process.

Do not perform uncontrolled browsing tests against live indicators. Validate using list status, entry counts, and security logs.

6. Verification

Check EDL status

Open each object under Objects → External Dynamic Lists and review List Entries and Exceptions.

The following CLI pattern can be used:

request system external-list show type <ip|domain|url> name <EDL_OBJECT_NAME>

Confirm a non-zero valid-entry count, successful authentication, and a future next-update time.

7. Rollback

Remove the integration safely

  1. Remove EDL references from policies and profiles.
  2. Commit and verify traffic behavior.
  3. Delete EDL objects only after they are no longer referenced.
  4. Ask KDC to remove the source public IP approval when access is no longer required.
Vendor KB and official documentation

Palo Alto Networks references

Use the official Palo Alto Networks documentation and Knowledge Base pages below to validate behavior for your current PAN-OS and management version.

Policy Object: External Dynamic ListsEDL types, supported uses, and general capacity behavior. Configure Your Environment to Access an External Dynamic ListEDL object, source URL, certificate validation, and update settings. Configure Service RoutesSource interface and IP selection for EDL retrieval traffic. Enforce Policy on an External Dynamic ListUsing IP, domain, and URL lists in security controls. Retrieve an External Dynamic List from the Web ServerManual refresh and retrieval workflow. View External Dynamic List EntriesReviewing entries and managing manual exceptions. Find External Dynamic Lists That Failed AuthenticationTroubleshooting TLS and authentication failures. Palo Alto Knowledge Base: URL Filtering – Dynamic/External Block List EDLOfficial vendor KB article covering external list usage.

View all vendor references →

Menu names and supported features can vary by PAN-OS release, licensing, and Panorama or Strata management model. The vendor documentation remains authoritative.