Warnings: External Dynamic List <list> is configured with no certificate profile.

Reply
L2 Linker

Warnings: External Dynamic List <list> is configured with no certificate profile.

Warnings:

External Dynamic List <list> is configured with no certificate profile.

Please select a certificate profile for performing server certificate validation.

 

Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL).  This link is to a https site. 

We followed this link:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...

 

After doing this, the warning was still there.

We had also done this:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/disable-authentication-for-an...

 

So when we went to choose a certificate profle, there was not an option to choose one.

minemeldcertprof.JPG

 

 

Because of this, we force the certificate profile via the CLI:

# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>

 

This resolved this issue.  Then MineMeld went to update the list and there was an Auth error and the list emptied.

Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'

 

 

The customer then went back to Panorama and removed the cert profile.

 

We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148...

 

Namely the second to the last comment by: PerTenggren

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

 

Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.

 

 

 

Customer is wanting to not see this warning message after commits.

 

L7 Applicator

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Hi @DaBone,

this looks a problem with the configuration of PAN-OS and Panorama, have you opened a ticket to Palo Alto Networks TAC ?

 

Thanks,

luigi

L2 Linker

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Hi @DaBone,

 

Are you trying to push Certificates and profiles from Panorama to the FW's? If you have Device Group parent with policies defined and child DG's with firewalls, you will need to put a fake serial number in the parent DG and the same fake serial number in the template that you have the certificates in.

 

Make sure you have enough device licenses in Panorama to add this fake serial number. When you commit the changes to Panorama and then push the DG and Template changes to the firewall, you should see the certificate and profile in your firewalls to make your EDL's.

 

LG.

L1 Bithead

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Has any one been able to verify if the workaround suggested by LG resolves the issue?

L4 Transporter

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

We also setup EDLs in the "shared" device-group and we're unable to attach a cert-profile to those EDLs. However, if we clone that EDL into a device-group leaf we get to chose a cert-profile.

 

It's not really an option for us to clone an EDL into each device-group. We also had to build individual security rules this way. So we keep the shared EDL for now, without any cert-profile attached. 

 

(we're running v8.1.3 of Panorama)

L3 Networker

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Same issue here.  This is another example of the limitations between device-groups and templates. This really needs to be addressed.

L1 Bithead

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Any news regarding this issue?

L7 Applicator

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

Hi @erikda@DaBone,

do you have a case open with TAC about this? I would like to bring the discussion to our Product Management

Highlighted
L2 Linker

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

@lmori

 

My case 01048381.

L2 Linker

Re: Warnings: External Dynamic List <list> is configured with no certificate profile.

@lmori

Sorry I forgot about this post.  

00717965 case, it is now resolved.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!