Panorama Certificate Profile Breaks Refresh

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Certificate Profile Breaks Refresh

L2 Linker

Hello Folks,

 

I have a strange scenario and am most likely missing something. 

I created a CA cert from a new Panorama template. I installed into the MineMeld server and verified the cert is showing up via google chrome. I then created a certificate profile and tied the CA cert to the profile.

I then created a new External Dynamic List with the certificate profile under one of my Device Groups and pushed it to a test device. The device fails on it's EDLRefresh task with the error "cert validation failed". I then proceed to remove the certificate profile from the EDL under my device group and push to my test device and the EDLRefresh task finishes successfully.

 

If I import the same certificate directly from my Panorama and tie it to a local certificate profile. Then create a EDL using the local certificate profile and commit the EDLRefresh job succeeds as expected.

 

Why is it when I push everything from my Panorama to the test device the job fails. But when I create everything local and import the exact same certificate that the pushed config is using it works?

I feel like I should be able to push the entire configuration from my Panorama to all of my devices. Seems like this is what Panorama is designed for. Is there some underlying issue with certificate profiles and Panorama I am missing?

 

Thanks,

Eddie

1 accepted solution

Accepted Solutions

L3 Networker

I had a simillar problem. I fixed mine by making sure I was setting a Subject /CN=(the IP address of the Minemeld Server) in the certificate I was creating on the Palo using the CA cert. I also added an IP certificate attribute of the MM server to the cert. I then export that cert, with the private key, and import it into MM. Then, at that point, using the cert profile that uses the CA cert to verify the cert on MM successfully.

 

mm-cert-gen.PNG

 

 

View solution in original post

3 REPLIES 3

L3 Networker

I had a simillar problem. I fixed mine by making sure I was setting a Subject /CN=(the IP address of the Minemeld Server) in the certificate I was creating on the Palo using the CA cert. I also added an IP certificate attribute of the MM server to the cert. I then export that cert, with the private key, and import it into MM. Then, at that point, using the cert profile that uses the CA cert to verify the cert on MM successfully.

 

mm-cert-gen.PNG

 

 

...oh, and then one more thing. In the cert profile, set the user domain to the IP address of MM that you used in the Subject CN of the cert.

 

certprofile.PNG

You sir are a scolar and a gentleman. Now to try it with the authfeeds enabled.

  • 1 accepted solution
  • 5166 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!