Cortex xdr agent certificate

Vinothkumar_SBA — Thu, 13 Mar 2025 10:57:19 GMT

Hi all,

I have some doubts regarding the Cortex XDR agent certificate. I have gone through multiple blogs, which provided some insights, but I am still unable to see the complete picture. Below are the key facts I have gathered so far:

New Certificate Enforcement: Cortex XDR enforced a new certificate because the old certificate was vulnerable to MITM (Man-in-the-Middle) attacks. The previous implementation accepted any certificate for communication as long as it was signed. To mitigate this, Palo Alto Networks now enforces a certificate issued exclusively by them, ensuring stricter validation.
Certificate Enforcement in Different Machines: In new machines, the agent certificate enforcement is enabled by default in agent settings. However, for older machines, the default setting was Disabled (Notify), requiring manual activation. Despite this, I have observed cases where both the old certificate (Trusted Root Certification Authority) and the new certificate (root.pem) are present on the same endpoint. Why does this happen?
Certificate Contents and Purpose: The certificate lists multiple well-known names such as Microsoft, Google, and DigiCert, among others. Does this imply that the certificate is used for communication beyond the Cortex XDR server?

Questions I Need Clarified:

🔹 How does communication with the Cortex XDR server differ between the old and new certificates?
🔹 Why are both the old and new certificates available on some machines?
🔹 How was the old agent certificate used for communication before the enforcement change?

🔹 Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?

Any insights on these points would be greatly appreciated.

Thanks,

Re: Cortex xdr agent certificate

aspatil — Mon, 17 Mar 2025 10:47:31 GMT

Hello @Vinothkumar_SBA ,

To answer your questions:

How does communication with the Cortex XDR server differ between the old and new certificates?

Old Certificate

The agent uses a wildcard certificate (*.traps.paloaltonetworks.com) verified by the GoDaddy Root Certificate Authority G2.
The root CA is installed under the computer's trusted root certificate authority store.
The agent checks the roots.pem file for the root certificate and falls back to the local store if not found.

New Certificate:

The agent will solely rely on the roots.pem file for certificate validation, eliminating the fallback to the local store.
This change mitigates MITM attacks where an attacker could use a legitimate root certificate installed in the machine's root certificate store to intercept communications.

Why are both the old and new certificates available on some machines?

The agent checks the roots.pem file for the root certificate and falls back to the local store if not found, which makes agent partially protected.

How was the old agent certificate used for communication before the enforcement change?

Explained in first point

Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?

Please confirm the attribute where it is mentioned? And also is it for Old or New certificate.

topic Cortex xdr agent certificate in Cortex XDR Discussions

Cortex xdr agent certificate

Questions I Need Clarified:

Re: Cortex xdr agent certificate