topic Re: Palo Alto Device certs (Default Trusted Certificate Authorities List) in General Topics

Palo Alto Device certs (Default Trusted Certificate Authorities List)

ewashing3 — Fri, 03 Sep 2021 18:21:30 GMT

I am dealing with an issue in which the Palo Alto is in proxy mode. The issue is concerning endpoints being able to access a cloud tenant to register (install) a component.. The FQDN of the cloud tenant has been added as an allowance for these endpoints, they are member servers that have exceptions made for Internet access to certain sites. Multiple endpoints within my org are able to register to the tenant, so I don't believe that there is an over-arching issue with the proxy. That being said, the tenant provider has a requirement for two GoDaddy certs to be present on the endpoints to allow for registration (install) of the tenant's cloud component. On the endpoints themselves, both of the GoDaddy certs are present within their local certificate stores. However on the Palo Alto proxy, there is only one GoDaddy cert listed within the Device's "Default Trusted Certificate Authorities" list. Would anyone know if both GoDaddy certs would need to be in this list as well?

Re: Palo Alto Device certs (Default Trusted Certificate Authorities List)

BPry — Sat, 04 Sep 2021 04:13:29 GMT

@ewashing3,

If you attempt to hit the registration URL does your endpoint actually trust the certificate being presented? Have you enabled interzone-default logging and verified that endpoints seeing the registration issue don't have any associated denied traffic?

As a test to ensure that decryption is actually an issue, I would temporarily exclude one of the endpoints that are failing to register and see if it actually registers properly or not when you try again.

Re: Palo Alto Device certs (Default Trusted Certificate Authorities List)

ewashing3 — Tue, 07 Sep 2021 09:37:36 GMT

I will give this a try, thank you!