https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/599124#M7252 <P>Hi, same problem here and yes, we're doing deep packet inspection, as many others do. Strangely, not all the endpoints are in partially protected state while they all have their traffic scanned with DPI. What toubleshooting is required in this case, as we can confirm that we have DPI in place? Would they add our private CA to the root ca pem file?</P> Mon, 30 Sep 2024 19:44:13 GMT Dario_Palermo 2024-09-30T19:44:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/589358#M6823 <P>Hi Team,</P> <P>I have <STRONG>enabled the Cortex XDR agent settings for certificate enforcement</STRONG>. However, endpoints are showing as only <STRONG>partially protected</STRONG>, and the Operational Status Details <STRONG>indicate that certificate enforcement is disabled against policy</STRONG> (Failed to enable certificate enforcement due to local store fallback). Could you please help with this issue?</P> Wed, 12 Jun 2024 07:38:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/589358#M6823 Vinothkumar_SBA 2024-06-12T07:38:13Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/589359#M6824 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/243138">@Vinothkumar_SBA</a>&nbsp;,</P> <P>&nbsp;</P> <P><SPAN>As you have mentioned the error is&nbsp;"Failed to enable certificate enforcement due to local-store fallback". That means Certificate enforcement is not enabled and instead of root.pem , the agent is using Local store certificate which is not recommended. Hence, partially protected.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The solution is not disabling the policy, it is finding out why it is falling back. The reason may be that, you are decrypting the agent traffic or SSL inspection is enabled in your proxy or VPN.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hence, please open a TAC support case to troubleshoot further.</SPAN></P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on "mark this as a Solution".</SPAN></P> Wed, 12 Jun 2024 07:41:35 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/589359#M6824 aspatil 2024-06-12T07:41:35Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/594841#M7068 <P>Dear&nbsp;<A id="link_17" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/308232" target="_self" aria-label="View Profile of aspatil"><SPAN class="">Aspatil</SPAN></A>,</P> <P>I have the same problem, does this error affect the protection ability or even the functionality of the Agent?</P> <P>&nbsp;</P> <P>What adjustments would you recommend? Thank you.</P> Wed, 14 Aug 2024 03:00:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/594841#M7068 S.Lin576639 2024-08-14T03:00:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/599124#M7252 <P>Hi, same problem here and yes, we're doing deep packet inspection, as many others do. Strangely, not all the endpoints are in partially protected state while they all have their traffic scanned with DPI. What toubleshooting is required in this case, as we can confirm that we have DPI in place? Would they add our private CA to the root ca pem file?</P> Mon, 30 Sep 2024 19:44:13 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/cortex-xdr-agent-certificate-enforcement/m-p/599124#M7252 Dario_Palermo 2024-09-30T19:44:13Z