topic Re: Palo-hosted EDL empty when using certificate profile in Prisma Access Discussions

Palo-hosted EDL empty when using certificate profile

VTQNetwork — Sat, 18 Nov 2023 21:56:56 GMT

Hi Guys,

I can’t use my SaaS EDLs in Prisma. It works fine on-prem, but in Prisma the list contains 0.0.0.0/0 entry.

When I remove certificate profile, it work well.

I configured decryption exclusion for Prisma Infra subnet as I had decryption errors for Palo SaaS URL.

i did not configure any security policy from infra subnet to internet (but EDL without cert profile works).

I use the EDL in security & decryption policy.

Kind Regards,

Re: Palo-hosted EDL empty when using certificate profile

TomYoung — Sun, 19 Nov 2023 10:26:58 GMT

Hi @VTQNetwork ,

Check and see if you have certificate profile errors under Monitor > Logs > System with the filter ( subtype eq tls ). I have seen an undocumented bug where the EDL server certificate authentication fails with various versions of PAN-OS. I am currently on 10.2.4 and 5, which works fine. There is also a chance where the certificate profile fails because the wrong certificates or an incomplete chain are in the profile.

Thanks,

Tom

Re: Palo-hosted EDL empty when using certificate profile

VTQNetwork — Mon, 20 Nov 2023 11:53:11 GMT

Thank you for reply @TomYoung

Indeed, I had cert errors in System logs until Saturday:

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: SaaS-EDL-Microsoft-Defender-EU-URL, EDL Source URL: https://saasedl.paloaltonetworks.com/feeds/msdefender/eu/microsoftdefenderforendpointeu/url, CN: saasedl.paloaltonetworks.com, Reason: self signed certificate in certificate chain

Since I've configured decryption exclusion for Prisma's Infrastructure subnet, I don't have these errors, but EDLs still does not work.

Please note my issue is in Prisma Access. The same certificate profile works fine for my on-prem firewalls.

Root CA I use and the procedure I've followed is described here:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/configure-the-firewall-to-access-an-external-dynamic-list-from-the-edl-hosting-service/convert-the-globalsign-root-r1-certificate-to-pem-format#id247b0a73-8aa1-4e0e-a3f8-6dbe8d4f9033

I'm on Panorama managed Prisma, my Panorama versionn is 11.0.2-h2 and the plugin cloud_services-4.1.0.

Kind Regards,

Kacper

Re: Palo-hosted EDL empty when using certificate profile

TomYoung — Tue, 21 Nov 2023 10:26:17 GMT

Hi @VTQNetwork ,

Thank you for the information! The message that concerns me is "Reason: self signed certificate in certificate chain." That may indicate that the certificate profile in Prisma Access is different than the one on your on-prem firewalls.

Thanks,

Tom

Re: Palo-hosted EDL empty when using certificate profile

VTQNetwork — Tue, 21 Nov 2023 13:04:00 GMT

Hi @TomYoung ,

Yeah, I was also surprised when saw this message. I suppose there is some decryption for Prisma Infra. I've configured decryption exclusion. Now I do not have the error anymore, but my EDL with cert profile still does not work as expected.

According to Palo's manual, the same cert should be used for both on-prem & Prisma, but maybe additional policies/cert is required for Prisma Infra network.

I'm waiting for the TAC and update this thread. So far we've reinstalled certificate twice (I use cert from Palo), they suggested to change url (I use url from Palo).

Kind Regards,

Kacper

Re: Palo-hosted EDL empty when using certificate profile

automator — Thu, 23 Apr 2026 13:44:09 GMT

I'm having the same issue where the EDL works for on-prem firewalls, but not in Prisma Access. The same certificate profile is configured in both locations. Did you ever resolve this issue?