https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557360#M1817 <P class="lia-indent-padding-left-30px">We do TLS decryption, and cutover a site to new PA-1410's running 11.0.2.&nbsp; While testing MS updates on endpoints, we were getting notifications that the client couldn't contact the update server.&nbsp; Looking in the decryption log, none of the calls to the MS URL's were trusted.&nbsp; I looked at the default included trusted CA's from our 820's that were are moving from, and sure enough, many of the MS root CA's are not imported into PAN-OS 11.x.&nbsp; I exported ones missing from our 820's and imported into the 1410's and marked them as trusted to work around this.&nbsp; Why would PAN not include these?</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Here's the default trusted CA's from our 820's running 10.1:</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="820.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53579i66821DD0679BC0BB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="820.png" alt="820.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Here's what was default on the 1410's:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1410.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53580i48ECD637360D7496/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1410.png" alt="1410.png" /></span></P> Mon, 11 Sep 2023 14:19:04 GMT brucegarlock 2023-09-11T14:19:04Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557360#M1817 <P class="lia-indent-padding-left-30px">We do TLS decryption, and cutover a site to new PA-1410's running 11.0.2.&nbsp; While testing MS updates on endpoints, we were getting notifications that the client couldn't contact the update server.&nbsp; Looking in the decryption log, none of the calls to the MS URL's were trusted.&nbsp; I looked at the default included trusted CA's from our 820's that were are moving from, and sure enough, many of the MS root CA's are not imported into PAN-OS 11.x.&nbsp; I exported ones missing from our 820's and imported into the 1410's and marked them as trusted to work around this.&nbsp; Why would PAN not include these?</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Here's the default trusted CA's from our 820's running 10.1:</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="820.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53579i66821DD0679BC0BB/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="820.png" alt="820.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">Here's what was default on the 1410's:</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1410.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53580i48ECD637360D7496/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1410.png" alt="1410.png" /></span></P> Mon, 11 Sep 2023 14:19:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557360#M1817 brucegarlock 2023-09-11T14:19:04Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557447#M1820 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/151332">@brucegarlock</a>&nbsp;</P> <P>&nbsp;</P> <P>The PA <EM>default trusted certificate authorities</EM> store is updated&nbsp;<SPAN>in major releases.</SPAN></P> <P><SPAN>This means, it may (or may not) have different certificates in 10.1.x and in 11.0.x</SPAN></P> <P><SPAN>You can upload the necessary certificates to the <EM>device certificate store</EM> and mark them as trusted.</SPAN></P> <P>&nbsp;</P> Tue, 12 Sep 2023 02:26:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557447#M1820 akuzhuppilly 2023-09-12T02:26:06Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557926#M1840 <P>Yes, this is what I am doing, but what I don't understand is why those were not included as defaults like they were in the older models.&nbsp; It seems like a lot of the default CA's included in previous PAN OS versions are not included on 11.x</P> Thu, 14 Sep 2023 12:01:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pa-1410-pan-os-11-doesn-t-include-many-ms-root-ca-s/m-p/557926#M1840 brucegarlock 2023-09-14T12:01:30Z