Error fetching External Dynamic List (EDL)

Reply
L1 Bithead

Error fetching External Dynamic List (EDL)

Hello,

 

When trying to fetch an EDL from a web server configured without support for TLSv1 (only support TLSv1.1 or 1.2) the result is "Server error : URL access error".

 

I don't know if PAN-OS 7.1.18 fetch client for EDL only support TLSv1. Checking ciphers compatibility for 7.1 I can't find the answer:

 

https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites/c...

 

Thanks in advance.

Regards.

L4 Transporter

Re: Error fetching External Dynamic List (EDL)

Is the EDL external to your network?  If so, is there a security policy (and likely a nat policy) allowing the management interface of the firewall to access it?  AFAIK, TLS 1.1 and 1.2 are supported

L7 Applicator

Re: Error fetching External Dynamic List (EDL)

@fjmjugr,

As @JoeAndreini stated I'm willing to bet that this is a security/nat policy issue more then anything else. 

L1 Bithead

Re: Error fetching External Dynamic List (EDL)

Hi Joe,

Thanks for your answer.

Web server is inernal and there aren't any problem if we use http instead of https or https with TLSv1 enabled 

With TLSv1, 1.1 & 2 versions at web server, logs show FW is negotiating TLSv1: 

 

[18/Jul/2018:21:32:26 +0200] *.*.*.* TLSv1 ECDHE-RSA-AES256-SHA "GET /***** HTTP/1.1" 8

 

But if we disable TLSv1, the result is "Server error : URL access error" when testing it from CLI.

 

Sorry, probably I'm not beeing clear:

 

1.- Web server with only TLS1.1 and TLS1.2 enabled -> result: error

2.- Web server with all TLS versions (1, 1.1 & 2) -> result: success (negotiating v1).

 

Aparently  this is not related with policy. 

Thanks!

Regards.

 

L7 Applicator

Re: Error fetching External Dynamic List (EDL)

@fjmjugr,

Are you using a certificate profile when you go to grab that EDL? 

L4 Transporter

Re: Error fetching External Dynamic List (EDL)

Is the Certificate signed by a trusted external CA?  Make sure the root/intermediate certificates are in teh trusted root store.

L1 Bithead

Re: Error fetching External Dynamic List (EDL)

@BPry, I think  Authetication for EDL is a new feature of PAN-OS 8.0, but I'm using 7.1.18

 

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/authentication-features/au...

 

@JoeAndreini I think that is not necesary (using 7.1). For example, I'm testing Minemeld and at this moment I'm using selfsigned certificate & MM CA. With that configuration, firewalls can fetch EDLs from MM withot having included CA at them. 

 

I found a resolved issue:

 

PAN-85047
Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection.

but it is for 8.0.7 and only talks about TLSv1 (probably, not related to my initial question).

 

Thanks you both for your suggestions.

Regards.

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!