topic Re: Policies without certificate enforcement enabled warning message in Cortex XDR Discussions

Policies without certificate enforcement enabled warning message

Aneesh — Wed, 28 Feb 2024 05:47:04 GMT

Hi Team,

Recently I got a warning message in cortex saying that "Some of your endpoints have policies without Certificate Enforcement enabled". And by checking it further I could see that, this is to increase protection on the agent's communication by enforcing the use of root CA provided by Cortex (rather than on the local machine).

It was in disabled state since I started using it and why it gives warning message now?

Can I get more clarity on this and what will be the impact if I enable this feature.

I am using Cortex XDR Version 3.9

Thanks in advance.

Re: Policies without certificate enforcement enabled warning message

aspatil — Wed, 28 Feb 2024 06:28:04 GMT

Hello @Aneesh ,

Thanks for reaching out on LiveCommunity!

The banner showing Some of your endpoints have policies without Certificate Enforcement enabled is by design. Notify(Disabled) will be the default setting. The main motivation is to push customers to enable (or disable) the feature and move from Notify to one of the other modes.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Policies without certificate enforcement enabled warning message

Aneesh — Wed, 28 Feb 2024 08:58:12 GMT

Hi @aspatil,

Thanks for the speedy response.

I understand this but my query was,

It was in disabled state since I started using it and why it gives warning message now?

Can I get more clarity on this and what will be the impact if I enable this feature.

Re: Policies without certificate enforcement enabled warning message

Rindsland — Wed, 28 Feb 2024 09:46:15 GMT

It gives also a Risk warning for Default Policy, which I cannot edit (or I don't know how).

Re: Policies without certificate enforcement enabled warning message

Blake_Volk — Thu, 29 Feb 2024 02:07:44 GMT

I am also curious what is the user impact, or the impact of enabling this feature?

Re: Policies without certificate enforcement enabled warning message

aspatil — Thu, 29 Feb 2024 06:13:18 GMT

Hello Everyone,

Until now, typically certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in my computer's "certificates to trust" store. Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks. For this the requirement for the agent is 8.3

Below is the path for the supported OS, where you can find the certificate.

Windows – "C:\Program Files\Palo Alto Networks\Traps\config\roots.pem”
macOS – “/Library/Application Support/PaloAltoNetworks/Traps/config”

For example, MITM attack can be implemented, where an attacker can configure a malicious secure proxy communication that will be used by the machine, diverting and intercepting all the agent’s communication securely. The secure communication can can be achieved by using a legitimate Root certificate installed by the attacker in the machine’s Root certificate store

Not using the Local Store and only using the trusted roots.pem file, can avoid this kind of attack.

Talking about the impact, please find the below information:

The agent checks for the root certificate in the roots.pem. If the Root signer is not found in roots.pem, the agent will check in the machine’s local store as fallback

If the agent can verify the certificate using one of the methods above, the communications succeeds.

Kindly find more information on enforcement levels:

Disabled (notify) default:

Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
All risky notification banners will show

Disabled:

Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
All risky notification banners will show

Enabled:

Agents starts with learning mode phase
Verify these 2 conditions

For at least 20 minutes, agents did not fallback to the local store
At least 2 successful heartbeats in the last 20 minutes

If succeeded, changes from learning mode to Checks 2 conditions first
In learning mode, agent’s operational status may show “Partially Protected”
Failure to pass the learning mode, agents stay in Partially protected until the feature is Disabled/disabled (notify)

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Policies without certificate enforcement enabled warning message

aspatil — Thu, 29 Feb 2024 06:14:09 GMT

Hello @Rindsland ,

You can edit the default policy and update the Agent profile with the certificate enforcement enabled.

Re: Policies without certificate enforcement enabled warning message

micomi — Thu, 29 Feb 2024 13:30:34 GMT

Hi @aspatil

Thank you for this explanation. Does the certificate enforcement only affect the XDR agent communication or the whole communication of the OS?

Re: Policies without certificate enforcement enabled warning message

JGrover1 — Thu, 29 Feb 2024 18:43:03 GMT

How do you edit the Default Agent Settings profile though?

Re: Policies without certificate enforcement enabled warning message

aspatil — Fri, 01 Mar 2024 08:02:01 GMT

Hello @micomi ,

It only affects Agent communication.

Re: Policies without certificate enforcement enabled warning message

aspatil — Fri, 01 Mar 2024 08:03:07 GMT

@JGrover1

It talks about the policy, you can duplicate the default agent settings profile, enable the Certificate enforcement and append to all the policies which uses default Agent setting profiles.

Re: Policies without certificate enforcement enabled warning message

Geismann — Fri, 01 Mar 2024 12:57:10 GMT

@JGrover1

I have the same problem that you can't adjust or delete the default profiles and the warning still appears.

Re: Policies without certificate enforcement enabled warning message

Silva — Mon, 04 Mar 2024 18:44:54 GMT

Hello @aspatil, I hope you are doing well.

Do you know if is there a KB or a kind of documentation with such a level of detail that you said?

Unfortunately, the release notes of version 8.3 doesn't bring this level of detailing.

Thanks a lot for your explanation!

Regards

Re: Policies without certificate enforcement enabled warning message

aspatil — Tue, 05 Mar 2024 05:10:18 GMT

Hello @Silva ,

You can find it in Changed Features section:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Release-Notes/February-2024

Re: Policies without certificate enforcement enabled warning message

aspatil — Tue, 05 Mar 2024 05:11:16 GMT

Hello @Geismann ,

Would suggest you to reach out to SE or open a TAC case for more information

Re: Policies without certificate enforcement enabled warning message

Silva — Tue, 05 Mar 2024 17:05:35 GMT

Hi @aspatil thanks for your answer.

You described the changes about local and Palo Alto certificates with too much clarity upper in this post.

However, I couldn't find these details in the Changes Features section of the Release Information, like:

For at least 20 minutes, agents did not fallback to the local store
At least 2 successful heartbeats in the last 20 minutes

The release note doesn't mention it, also doesn't mention several other things you said in the post here:

So where did find it?
PS: I'm new with Palo Alto and Cortex, so I'm having a little difficulty finding good and reliable information

Re: Policies without certificate enforcement enabled warning message

Aneesh — Wed, 06 Mar 2024 06:54:47 GMT

Hi @aspatil,

Thanks for the explanation.

Could you please clarify the steps involved in 'enabled' state for better understanding.

Thanks in advance.

Aneesh.

Re: Policies without certificate enforcement enabled warning message

aspatil — Wed, 06 Mar 2024 07:01:33 GMT

Hello @Aneesh ,

Could you confirm which steps are you asking about. The complete information has been shared with what Enable means?

If you are looking for how to enable it, Please follow below instructions:

1. Endpoints-> Policy Management-> Prevention Profile

2. Edit all the Agent setting profiles and under Agent Certificate section enable it

Re: Policies without certificate enforcement enabled warning message

Aneesh — Wed, 06 Mar 2024 08:58:18 GMT

Hi @aspatil,

I was referring to the steps in enabled state which you have mentioned in your reply.

please find the below snip for your reference.

Thanks in advance.

Aneesh

Re: Policies without certificate enforcement enabled warning message

ScottCloster — Wed, 13 Mar 2024 20:40:56 GMT

Like a few here, I have no issue with the change and editing my custom Prevention profiles, but how does one edit the Default profiles to make this change? They do not appear to be editable but are associated with the risk. How do we edit those default Prevention Profiles to change the agent certificate setting?