topic Certificate Enforcement issue in Cortex XDR Discussions

Certificate Enforcement issue

rufat87 — Wed, 29 May 2024 21:39:30 GMT

We have several machines that are now reporting "Partially Protected" when we enabled Certificate Enforcement on them.

First they started to show "Local-Store fallback used" in audit logs (informational severity), now we see "Failed to enable certificate enforcement due to local-store fallback" high severity messages and a Partially Protected Operational status for the hosts.

I am seeing policy and content updates coming through just fine, and the hosts stay connected to the portal.

1) What exactly does Partially Protected status mean for hosts with this particular problem?

2) How is this issue fixed?

Re: Certificate Enforcement issue

aspatil — Thu, 30 May 2024 05:37:14 GMT

Hello @rufat87 ,

Thank you for reaching out on Live Community.

Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks.

Please check in Endpoints Tab, there is a Last Certificate Enforcement Fallback field. If you find the values appearing there that means the Agent is not using the root.pem certificate and falling back to local store.

Once you enable the feature, the agent starts with learning mode phase. Failure to pass the learning mode results into agent stay in Partially Protected until the feature is disabled.

Please ensure that you are not decrypting the agent traffic or SSL inspection is not enabled in your proxy or VPN. You can open a TAC case for further support.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".

Re: Certificate Enforcement issue

rufat87 — Thu, 30 May 2024 14:02:17 GMT

You have not really answered on what protection for the host is now partial? What protection modules are disabled for such hosts?

Is disabling Certificate Enforcement for such hosts a feasible solution - temporarily or permanently?

Re: Certificate Enforcement issue

aspatil — Thu, 30 May 2024 14:13:16 GMT

It seems you didn't notice the below statement:

Once you enable the feature, the agent starts with learning mode phase. Failure to pass the learning mode results into agent stay in Partially Protected until the feature is disabled.

As you have mentioned the error is "Failed to enable certificate enforcement due to local-store fallback". That means Certificate enforcement is not enabled and instead of root.pem , the agent is using Local store certificate which is not recommended. Hence, partially protected.

The solution is not disabling the policy, it is finding out why it is falling back. The reason may be that, you are decrypting the agent traffic or SSL inspection is enabled in your proxy or VPN.

Hence, please open a TAC support case to troubleshoot further.

Hope this helps.

Re: Certificate Enforcement issue

rufat87 — Thu, 30 May 2024 18:01:33 GMT

No, I have read your comment.

So it is falling back to use local cert which is "not recommended" and therefore is becoming vulnerable to possible "Man In The Middle (MITM) attacks". That's the only reason XDR is tagging these as Partially Protected, everything else works just fine in regards to prevention modules and operationally.

We will investigate this further with TAC, thanks for response.

Re: Certificate Enforcement issue

aspatil — Fri, 31 May 2024 04:13:15 GMT

That's right. Hope this get resolve asap.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".