https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597495#M7174 <P>Hi Team,</P> <P>I have a query regarding the Cortex XDR Agent (8.3) Certificate Enforcement settings.</P> <P>1. Enable the Certificate Enforcement option.<BR />2. Decrypt either only Cortex XDR Agent traffic in the firewall or decrypt all traffic related to application servers in the firewall.</P> <P>Please confirm if these steps are correct, as I have not found comprehensive documentation on this configuration.</P> Wed, 11 Sep 2024 04:54:39 GMT Vinothkumar_SBA 2024-09-11T04:54:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597495#M7174 <P>Hi Team,</P> <P>I have a query regarding the Cortex XDR Agent (8.3) Certificate Enforcement settings.</P> <P>1. Enable the Certificate Enforcement option.<BR />2. Decrypt either only Cortex XDR Agent traffic in the firewall or decrypt all traffic related to application servers in the firewall.</P> <P>Please confirm if these steps are correct, as I have not found comprehensive documentation on this configuration.</P> Wed, 11 Sep 2024 04:54:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597495#M7174 Vinothkumar_SBA 2024-09-11T04:54:39Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597546#M7175 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/243138">@Vinothkumar_SBA</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>The Agent Certificate Enforcement is a feature <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/8.3/Cortex-XDR-Agent-Release-Notes/Changes-to-Default-Behavior-in-Cortex-XDR-Agent-8.3" target="_self">introduced in 8.3</A> to improve the agent&nbsp;<SPAN>security, by enforcing the use of root CA that is provided by&nbsp;</SPAN><SPAN class="phrase">Palo Alto Networks</SPAN><SPAN>&nbsp;rather than on the local machine. You have more information in the<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Set-up-agent-settings-profiles" target="_self"> Agents Settings Profile document.</A></SPAN></P> <P>&nbsp;</P> <P>If you have SSL Decryption in your firewall, the FQDNS are still needed to be added as an exception for the XDR Agents. <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Resources-Required-to-Enable-Access" target="_self">Here</A> you can find the resources to except.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jmazzeo_0-1726061265467.png" style="width: 921px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62172i88DC0BCA88E4E964/image-dimensions/921x145?v=v2" width="921" height="145" role="button" title="jmazzeo_0-1726061265467.png" alt="jmazzeo_0-1726061265467.png" /></span></P> <P>&nbsp;</P> <P>If this post answers your question, please mark it as the solution.</P> Wed, 11 Sep 2024 13:31:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597546#M7175 jmazzeo 2024-09-11T13:31:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597639#M7176 <P>Hi Jmazzeo,</P> <P>Thank you for your response. You mentioned that only the Cortex XDR agent URLs should be added to the FQDN exception list, and not all URLs or other application server URLs. Is my understanding correct or incorrect?</P> Thu, 12 Sep 2024 06:10:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597639#M7176 Vinothkumar_SBA 2024-09-12T06:10:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597669#M7178 <P>Hi, I linked this document that shows all the required URLs:&nbsp;<A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Resources-Required-to-Enable-Access" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Resources-Required-to-Enable-Access</A></P> <P>&nbsp;</P> <P>Not only the tenant URL, there are a few more that the agent needs to communicate. If you have PANW NGFW you can see the&nbsp;App-ID Coverage in that doc.</P> Thu, 12 Sep 2024 13:13:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-certificate-enforcement-for-windows-and-macos/m-p/597669#M7178 jmazzeo 2024-09-12T13:13:38Z