Error fetching External Dynamic List (EDL)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Error fetching External Dynamic List (EDL)

L1 Bithead

Hello,

 

When trying to fetch an EDL from a web server configured without support for TLSv1 (only support TLSv1.1 or 1.2) the result is "Server error : URL access error".

 

I don't know if PAN-OS 7.1.18 fetch client for EDL only support TLSv1. Checking ciphers compatibility for 7.1 I can't find the answer:

 

https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites/c...

 

Thanks in advance.

Regards.

6 REPLIES 6

L4 Transporter

Is the EDL external to your network?  If so, is there a security policy (and likely a nat policy) allowing the management interface of the firewall to access it?  AFAIK, TLS 1.1 and 1.2 are supported

@fjmjugr,

As @JoeAndreini stated I'm willing to bet that this is a security/nat policy issue more then anything else. 

Hi Joe,

Thanks for your answer.

Web server is inernal and there aren't any problem if we use http instead of https or https with TLSv1 enabled 

With TLSv1, 1.1 & 2 versions at web server, logs show FW is negotiating TLSv1: 

 

[18/Jul/2018:21:32:26 +0200] *.*.*.* TLSv1 ECDHE-RSA-AES256-SHA "GET /***** HTTP/1.1" 8

 

But if we disable TLSv1, the result is "Server error : URL access error" when testing it from CLI.

 

Sorry, probably I'm not beeing clear:

 

1.- Web server with only TLS1.1 and TLS1.2 enabled -> result: error

2.- Web server with all TLS versions (1, 1.1 & 2) -> result: success (negotiating v1).

 

Aparently  this is not related with policy. 

Thanks!

Regards.

 

@fjmjugr,

Are you using a certificate profile when you go to grab that EDL? 

Is the Certificate signed by a trusted external CA?  Make sure the root/intermediate certificates are in teh trusted root store.

@BPry, I think  Authetication for EDL is a new feature of PAN-OS 8.0, but I'm using 7.1.18

 

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/authentication-features/au...

 

@JoeAndreini I think that is not necesary (using 7.1). For example, I'm testing Minemeld and at this moment I'm using selfsigned certificate & MM CA. With that configuration, firewalls can fetch EDLs from MM withot having included CA at them. 

 

I found a resolved issue:

 

PAN-85047
Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.

but it is for 8.0.7 and only talks about TLSv1 (probably, not related to my initial question).

 

Thanks you both for your suggestions.

Regards.

 

  • 4698 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!