topic Re: Error fetching External Dynamic List (EDL) in General Topics

Error fetching External Dynamic List (EDL)

fjmjugr — Thu, 19 Jul 2018 07:08:30 GMT

Hello,

When trying to fetch an EDL from a web server configured without support for TLSv1 (only support TLSv1.1 or 1.2) the result is "Server error : URL access error".

I don't know if PAN-OS 7.1.18 fetch client for EDL only support TLSv1. Checking ciphers compatibility for 7.1 I can't find the answer:

https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-7-1/cipher-suites-supported-in-pan-os-7-1-decryption

Thanks in advance.

Regards.

Re: Error fetching External Dynamic List (EDL)

JoeAndreini — Thu, 19 Jul 2018 11:25:28 GMT

Is the EDL external to your network? If so, is there a security policy (and likely a nat policy) allowing the management interface of the firewall to access it? AFAIK, TLS 1.1 and 1.2 are supported

Re: Error fetching External Dynamic List (EDL)

BPry — Thu, 19 Jul 2018 17:14:39 GMT

@fjmjugr,

As @JoeAndreini stated I'm willing to bet that this is a security/nat policy issue more then anything else.

Re: Error fetching External Dynamic List (EDL)

fjmjugr — Thu, 19 Jul 2018 17:29:25 GMT

Hi Joe,

Thanks for your answer.

Web server is inernal and there aren't any problem if we use http instead of https or https with TLSv1 enabled

With TLSv1, 1.1 & 2 versions at web server, logs show FW is negotiating TLSv1:

[18/Jul/2018:21:32:26 +0200] *.*.*.* TLSv1 ECDHE-RSA-AES256-SHA "GET /***** HTTP/1.1" 8

But if we disable TLSv1, the result is "Server error : URL access error" when testing it from CLI.

Sorry, probably I'm not beeing clear:

1.- Web server with only TLS1.1 and TLS1.2 enabled -> result: error

2.- Web server with all TLS versions (1, 1.1 & 2) -> result: success (negotiating v1).

Aparently this is not related with policy.

Thanks!

Regards.

Re: Error fetching External Dynamic List (EDL)

BPry — Thu, 19 Jul 2018 17:40:39 GMT

@fjmjugr,

Are you using a certificate profile when you go to grab that EDL?

Re: Error fetching External Dynamic List (EDL)

JoeAndreini — Thu, 19 Jul 2018 18:07:05 GMT

Is the Certificate signed by a trusted external CA? Make sure the root/intermediate certificates are in teh trusted root store.

Re: Error fetching External Dynamic List (EDL)

fjmjugr — Fri, 20 Jul 2018 00:08:51 GMT

@BPry, I think Authetication for EDL is a new feature of PAN-OS 8.0, but I'm using 7.1.18

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/authentication-features/authentication-for-external-dynamic-lists

@JoeAndreini I think that is not necesary (using 7.1). For example, I'm testing Minemeld and at this moment I'm using selfsigned certificate & MM CA. With that configuration, firewalls can fetch EDLs from MM withot having included CA at them.

I found a resolved issue:

PAN-85047

Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.

but it is for 8.0.7 and only talks about TLSv1 (probably, not related to my initial question).

Thanks you both for your suggestions.

Regards.