https://live.paloaltonetworks.com/t5/next-generation-firewall/adding-an-external-dynamic-list-object-and-importing-the/m-p/531341#M910 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230545">@user9891</a> ,</P> <P>&nbsp;</P> <P>Yes, that process is correct.&nbsp; The document actually says to add the root and intermediate to the certificate profile.&nbsp; That is the process that I use, and it works.&nbsp; Your reasoning makes sense that the root is already trusted.&nbsp; Let us know if only the intermediate CA works in the certificate profile.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 16 Feb 2023 03:14:08 GMT TomYoung 2023-02-16T03:14:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/adding-an-external-dynamic-list-object-and-importing-the/m-p/531324#M909 <P>&nbsp;</P> <P>I am trying to add an External Dynamic List to our PA-440.&nbsp;</P> <P>&nbsp;</P> <P>The External Dynamic List is hosted on an external web server by one of our security partners.&nbsp; This web server is https enabled and authentication is via username/password.&nbsp; This is the screenshot when you go to the EDL's Source URL:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_1-1676501196399.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47988iE709969DC0AB21A5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thivye_1-1676501196399.png" alt="thivye_1-1676501196399.png" /></span></P> <P>&nbsp;</P> <P>According to this documentation, in order for the firewall to authenticate to this server, I will need to add the Intermediate CA certificates that match the certificates installed on the server the firewall is authenticating.&nbsp; With that profile, I will have the option to add a username and password to the External Dynamic List object when I add the correct Certificate Profile.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Here is the documentation that states I need to add the Intermediate CA certificates that match the certificates installed on the server the firewall is authenticating:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_2-1676501218691.png" style="width: 785px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47989iDFCCCD7048689A71/image-dimensions/785x151/is-moderation-mode/true?v=v2" width="785" height="151" role="button" title="thivye_2-1676501218691.png" alt="thivye_2-1676501218691.png" /></span></P> <P>&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list</A></P> <P>&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">My understanding of this is I needed to:</P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="1"><SPAN>Download the Intermediate CA certificate from the external web server that's hosting the EDLs</SPAN></LI> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;"><SPAN>Import this Intermediate CA certificate into the Certificate Manager</SPAN></LI> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;"><SPAN>Create a Certificate Profile to add to the EDL object.</SPAN></LI> </OL> <P>&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <H2 style="margin: 0in; font-family: Calibri; font-size: 14.0pt; color: #2e75b5;">Downloading the Intermediate CA Certificate:</H2> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">To download the Intermediate CA certificate from the external webserver that's hosting the EDLs.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="1"><SPAN>Click the lock icon:</SPAN></LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_3-1676501263508.png" style="width: 613px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47990i18659E3AC4847E7F/image-dimensions/613x360/is-moderation-mode/true?v=v2" width="613" height="360" role="button" title="thivye_3-1676501263508.png" alt="thivye_3-1676501263508.png" /></span></P> <P>&nbsp;</P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="2"><SPAN>Click on "Connection Secure":</SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_8-1676501297085.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47991iFFD41D6DF4CC3239/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thivye_8-1676501297085.png" alt="thivye_8-1676501297085.png" /></span></P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="3"><SPAN>Click on "More Information":</SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_9-1676501307699.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47992i3CBC059BB4361F86/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thivye_9-1676501307699.png" alt="thivye_9-1676501307699.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="4"><SPAN>Click "View Certificate":</SPAN></LI> </OL> <DIV id="tinyMceEditorthivye_6" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_10-1676501316888.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47993i69CE11879506C9F0/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thivye_10-1676501316888.png" alt="thivye_10-1676501316888.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <OL style="direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11.0pt; font-weight: normal; font-style: normal;" type="1"> <LI style="margin-top: 0; margin-bottom: 0; vertical-align: middle;" value="5"><SPAN>Click the middle certificate (the Intermediate CA), scroll down and download the cert file (.PEM)</SPAN></LI> </OL> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <DIV id="tinyMceEditorthivye_7" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thivye_11-1676501347626.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47994iF651D5A9448B38B2/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="thivye_11-1676501347626.png" alt="thivye_11-1676501347626.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&gt; Is this the correct file to be downloading?</P> <P>&gt; The UserTrust CA is already in the list of Trusted Certificate Authorities in the Certificate manager of the PA-440, so this Intermediate CA Certificate is all I should need.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Feb 2023 22:57:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/adding-an-external-dynamic-list-object-and-importing-the/m-p/531324#M909 user9891 2023-02-15T22:57:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/adding-an-external-dynamic-list-object-and-importing-the/m-p/531341#M910 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230545">@user9891</a> ,</P> <P>&nbsp;</P> <P>Yes, that process is correct.&nbsp; The document actually says to add the root and intermediate to the certificate profile.&nbsp; That is the process that I use, and it works.&nbsp; Your reasoning makes sense that the root is already trusted.&nbsp; Let us know if only the intermediate CA works in the certificate profile.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 16 Feb 2023 03:14:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/adding-an-external-dynamic-list-object-and-importing-the/m-p/531341#M910 TomYoung 2023-02-16T03:14:08Z