topic Re: Warnings: External Dynamic List <list> is configured with no certificate profile. in General Topics

Warnings: External Dynamic List is configured with no certificate profile.

DaBone — Mon, 07 Aug 2017 16:12:26 GMT

Warnings:

External Dynamic List <list> is configured with no certificate profile.

Please select a certificate profile for performing server certificate validation.

Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL). This link is to a https site.

We followed this link:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/101331

After doing this, the warning was still there.

We had also done this:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/disable-authentication-for-an-external-dynamic-list

So when we went to choose a certificate profle, there was not an option to choose one.

Because of this, we force the certificate profile via the CLI:

# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>

This resolved this issue. Then MineMeld went to update the list and there was an Auth error and the list emptied.

Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'

The customer then went back to Panorama and removed the cert profile.

We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148098/highlight/true#M49516

Namely the second to the last comment by: PerTenggren

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.

Customer is wanting to not see this warning message after commits.

Re: Warnings: External Dynamic List is configured with no certificate profile.

lmori — Tue, 08 Aug 2017 17:57:09 GMT

Hi @DaBone,

this looks a problem with the configuration of PAN-OS and Panorama, have you opened a ticket to Palo Alto Networks TAC ?

Thanks,

luigi

Re: Warnings: External Dynamic List is configured with no certificate profile.

lgiancaterini — Tue, 08 Aug 2017 19:30:01 GMT

Hi @DaBone,

Are you trying to push Certificates and profiles from Panorama to the FW's? If you have Device Group parent with policies defined and child DG's with firewalls, you will need to put a fake serial number in the parent DG and the same fake serial number in the template that you have the certificates in.

Make sure you have enough device licenses in Panorama to add this fake serial number. When you commit the changes to Panorama and then push the DG and Template changes to the firewall, you should see the certificate and profile in your firewalls to make your EDL's.

LG.

Re: Warnings: External Dynamic List is configured with no certificate profile.

Mike.ship — Fri, 19 Jan 2018 20:09:14 GMT

Has any one been able to verify if the workaround suggested by LG resolves the issue?

Re: Warnings: External Dynamic List is configured with no certificate profile.

oschuler — Wed, 19 Sep 2018 06:24:20 GMT

We also setup EDLs in the "shared" device-group and we're unable to attach a cert-profile to those EDLs. However, if we clone that EDL into a device-group leaf we get to chose a cert-profile.

It's not really an option for us to clone an EDL into each device-group. We also had to build individual security rules this way. So we keep the shared EDL for now, without any cert-profile attached.

(we're running v8.1.3 of Panorama)

Re: Warnings: External Dynamic List is configured with no certificate profile.

DrJonBane — Tue, 04 Dec 2018 14:44:27 GMT

Same issue here. This is another example of the limitations between device-groups and templates. This really needs to be addressed.

Re: Warnings: External Dynamic List is configured with no certificate profile.

erikda — Fri, 01 Feb 2019 10:46:32 GMT

Any news regarding this issue?

Re: Warnings: External Dynamic List is configured with no certificate profile.

lmori — Thu, 07 Feb 2019 08:09:42 GMT

Hi @erikda, @DaBone,

do you have a case open with TAC about this? I would like to bring the discussion to our Product Management

Re: Warnings: External Dynamic List is configured with no certificate profile.

fwmike — Thu, 07 Feb 2019 16:08:37 GMT

@lmori

My case 01048381.

Re: Warnings: External Dynamic List is configured with no certificate profile.

DaBone — Fri, 15 Feb 2019 16:32:29 GMT

@lmori

Sorry I forgot about this post.

00717965 case, it is now resolved.

Re: Warnings: External Dynamic List is configured with no certificate profile.

mteachout — Mon, 18 Feb 2019 18:31:56 GMT

What was the fix? Is it something you had to change or is it included in a later release?

Re: Warnings: External Dynamic List is configured with no certificate profile.

FarzanaMustafa — Thu, 28 Feb 2019 02:29:38 GMT

I also faced same issue. TAC has advised to try this.

As far as EDL warning is concerned, cert profile need to be configured to verify server certificate using CA that signed CA cert.

There are two ways to resolve warning

1) use http instead of https to connect to webserver in EDL config
2) Or, configure cert profile using root CA that signed web server cert, Global sign in this case and use it in cert profile under EDL.

Re: Warnings: External Dynamic List is configured with no certificate profile.

andrew571 — Mon, 28 Oct 2019 15:52:15 GMT

The real issue with the use of certificate profiles on external dynamic lists is that the firewall administrator has no control over the actions of 3rd party external dynamic list providers.

The list provider might force you to use HTTPS.
The list provider is free to choose whichever SSL Certificate provider they want.
If the certificate profile becomes invalid due to SSL certificate provider change, the list empties out, and you have no notification of this.
So, how exactly does this provide security if it suddenly fails open?
The GUI's "None (Disable Cert profile)" is a misnomer since it doesn't disable it to the point of no longer warning on policy commit.

A proper fix would be that "None (Disable Cert profile)" does what it says it will do which is to not use it and by disabled means it won't warn about it either.

Re: Warnings: External Dynamic List is configured with no certificate profile.

Tobi — Tue, 29 Mar 2022 09:08:49 GMT

Unfortunately I still cannot attach a cert-profile to my "shared" EDLs under PAN-OS 9.1. Is this fixed with version 10 or 10.1?

Re: Warnings: External Dynamic List is configured with no certificate profile.

andrey11 — Mon, 25 Apr 2022 14:11:09 GMT

You can try following:

1. Push Certificate Profile via template to all firewalls.
2. Create the required EDL with the certificate profile on any device group
3. Commit and Push
4. Clone the EDL from the device group as a shared EDL.
5. You can then select the Certificate Profile in the Shared EDL.

Re: Warnings: External Dynamic List is configured with no certificate profile.

miguelMA — Mon, 14 Nov 2022 16:24:35 GMT

WOW!

I even open a case that went to up the chain to the dev team and was told that with 10.2.3 it was going to be fixed!

@andrey11 AMAZING instructions!

THANK YOU!!!

5*'s!

This process working, proves the platform can do it, but the pointers/database/code need to be looked at for the GUI.

Palo Alto Needs to hire you! (:

thanks again!

Re: Warnings: External Dynamic List is configured with no certificate profile.

Claw4609 — Fri, 17 Mar 2023 16:32:56 GMT

Alternatively, you can just type in the certificate profile without moving the edl around device groups..... for some reason.

For example we use some of the Palo Alto maintained edls (EDL Hosting Service (paloaltonetworks.com)) and we named the certificate profile, "PaloAlto-EDL-Cert-Profile", I can manually type that in the shared edl even though its not an option in the drop down menu. I dont know how this works but Palo cant make it appear in the drop down menu

Re: Warnings: External Dynamic List is configured with no certificate profile.

miguelMA — Fri, 28 Jul 2023 17:55:51 GMT

Follow up:

Still not fixed in the newer vesions, running the latest 11.x code and still not fixed.

In addition, stacking manualy into 1 txt file all the certifficate chain no longer works.

this is what i did to make it work.

1. go to firefox (chrome doesn't give you the options below) and pull up the https URL where the list is published.

in firefox, pull up the certificate and download the pem file for each of the certs in the chain (pem)

2. Then got to panorama and IMPORT in the share each certificate.

committ push

3. Then go to the individual device template and build a local certificate profile that uses/references the individually shared certificates

commit push

4. then go to the created certifiate profile and clone it to SHARE.

committ push

5. delete the individual local profile.

6. build the new external dynamic list object usign the same URL as step 1.

7. the new certifiate profile will now be available to use in the new shared external dyanmic list dropdown.

This used to work by using a single certificate that was manually stacked and saved as one certificate but it seeems that is no longer the case.

Hope this helps someone outthere and keeps some of the pain away (: