Configuring EDL with Shared Drive or SharePoint

Question

Hi all, will like to check if anyone have experiences configuring EDL to text file stored on SharePoint? What I have done so far:

Configure EDL service route to use the interface that have access to the SharePoint directory.
Did a ping test with source of said interface to the SharePoint directory - successful.
Tried to configure EDL, without cert profile, to SharePoint link location(HTTPS) of the text file of IP's but was unsuccessful.

From what I understood of EDL, since the SharePoint link is HTTPS, i will need the root and intermediate certificates.

However I have to write in a request for it to another department, since managing SharePoint isn't in my jurisdiction. Hence I am thinking to explore Shared drive option (non-HTTP) but was not successful as well.

Both attempts ended with URL Access error.

I went to check on traffic with the source IP set to the source interface which i configured for the service route for EDL and there were none found even though I initiated "Test Source URL". Can advise if I had omitted anything crucial for configuring the two options aforementioned successfully? Looking forward to any input, cheers.

Reaper · Accepted Answer

If the sharepoint is set up using a certificate of an internal CA, you should import the root certificate and add it to the trusted root certificates, but you shouldn't need the assistance from your sharepoint team to get the certificate if you are able to access the URL yourself; you can extract the certificate from your browser and import it onto the firewall

another 'trick' to make sure a service route is used, as I've noticed the service route is not always respected when set to one of the predefined 'applications', is to set a destination and source interface manually

J.W. · Answer

Hi again Reaper. Sorry to trouble you again but my understanding of certificates isn't the best. You mentioned "you should import the root certificate and add it to the trusted root certificates ", what exactly do you mean by "add it to the trusted root certificates" , do I have to setup something specific on the firewall certificate profile before I import that certificate through the means you illustrated?

Right now what I did was I just grab that root certificate as you illustrated and just import it to a new certificate profile. Then, I apply this certificate profile in the EDL configuration. Did I misunderstood you by doing it this way? 
Just to clarify since I am still having trouble with that EDL setup. Unable to access.

These are the error messages from my tail follow ms.log
Error: pan_ebl_system_ebl_show_handler(pan_cfg_ebl.c:7833): EDL external dynamic list file either empty or not found Error: pan_ebl_system_ebl_refresh_handler(pan_cfg_ebl.c:7141): EDL URL access error Error: pan_ebl_system_ebl_refresh_handler(pan_cfg_ebl.c:7141): EDL URL access error

Reaper · Answer

Once you import the root certificate, you can click it from the device>certificate management>certificates and then enable "trusted root certificate" in the pop-up. This will set the firewall to actually trust that root certificate.
When you open the url in a regular browser window, does it show you a flat text file, or is there all kinds of SharePoint 'filler' (menu structure etc) around? This could also prevent proper access for the firewall

J.W. · Answer

You could be right. The link I have access to is not direct content of the text file. It just shows the text file within a folder. And thanks for the instruction on the certificate. I'll attempt to troubleshoot again with these thoughts in mind. Thanks!

J.W. · Answer

That's good enough to know. At least I can omit that possibility of drive share. Noted on the Apache too.  Thanks reaper, great help.