https://live.paloaltonetworks.com/t5/custom-signatures/intermediate-certificates/m-p/595485#M511 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/764">@smledv</a> ,</P> <P>As described here - <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains" target="_blank">Repair Incomplete Certificate Chains (paloaltonetworks.com)</A> the RFC standard requires the server to send the full chain of trust. Unfortunately it is very common to not follow the RFC, which prevent the firewall to verify the root CA.</P> <P>&nbsp;</P> <P>So in one perfect world we should expect server administrators to fix their servers instead of importing intermediate certificates to the network devices/firewalls.</P> <P>&nbsp;</P> <P>I know the reality is far for that...Unfortunately I am not aware of any automated solution that could solve this.</P> <P>If you are not afraid to get your hands dirty with scripting, you may be able to achieve something with the steps described in the above link and some XML API calls to the firewall.</P> <P>&nbsp;</P> <P>The problem I am having with such automated approach is the lack of review from the administrator. I would personally prefer person to review the blocked page and verify if the intermediate certificate needs to be imported, or user is trying to access something that is potentially <SPAN>dangerous</SPAN>.</P> Wed, 21 Aug 2024 14:41:24 GMT aleksandar.astardzhiev 2024-08-21T14:41:24Z https://live.paloaltonetworks.com/t5/custom-signatures/intermediate-certificates/m-p/592999#M508 <P>Hello everyone,</P> <P>&nbsp;</P> <P>Is there a solution other than manually importing intermediate certificates into the Palo Alto Firewall (PAN-OS10.2.9-h1)?</P> <P>Since there are weekly a few websites with this problem popping up.</P> <P>&nbsp;</P> <P>I already know the import procedure that is described in the knowledge base.</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC</A></P> <P>&nbsp;</P> <P><SPAN>for example:</SPAN></P> <P><A href="http://www.deepl.com" target="_blank">www.deepl.com </A></P> <P><A href="https://www.i-doit.com/en/" target="_blank">https://www.i-doit.com/</A></P> <P><SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><A class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://www.fabrilscavone.com.br/" href="https://www.fabrilscavone.com.br/" target="_blank" rel="noreferrer noopener" aria-label="Link www.fabrilscavone.com.br">www.fabrilscavone.com.br</A></SPAN></SPAN></P> <P><SPAN>(Deepl.com on Second DNS IP)</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance</SPAN></P> <P>&nbsp;</P> Thu, 25 Jul 2024 13:17:53 GMT https://live.paloaltonetworks.com/t5/custom-signatures/intermediate-certificates/m-p/592999#M508 smledv 2024-07-25T13:17:53Z https://live.paloaltonetworks.com/t5/custom-signatures/intermediate-certificates/m-p/595485#M511 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/764">@smledv</a> ,</P> <P>As described here - <A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs/repair-incomplete-certificate-chains" target="_blank">Repair Incomplete Certificate Chains (paloaltonetworks.com)</A> the RFC standard requires the server to send the full chain of trust. Unfortunately it is very common to not follow the RFC, which prevent the firewall to verify the root CA.</P> <P>&nbsp;</P> <P>So in one perfect world we should expect server administrators to fix their servers instead of importing intermediate certificates to the network devices/firewalls.</P> <P>&nbsp;</P> <P>I know the reality is far for that...Unfortunately I am not aware of any automated solution that could solve this.</P> <P>If you are not afraid to get your hands dirty with scripting, you may be able to achieve something with the steps described in the above link and some XML API calls to the firewall.</P> <P>&nbsp;</P> <P>The problem I am having with such automated approach is the lack of review from the administrator. I would personally prefer person to review the blocked page and verify if the intermediate certificate needs to be imported, or user is trying to access something that is potentially <SPAN>dangerous</SPAN>.</P> Wed, 21 Aug 2024 14:41:24 GMT https://live.paloaltonetworks.com/t5/custom-signatures/intermediate-certificates/m-p/595485#M511 aleksandar.astardzhiev 2024-08-21T14:41:24Z