03-13-2025 03:57 AM
Hi all,
I have some doubts regarding the Cortex XDR agent certificate. I have gone through multiple blogs, which provided some insights, but I am still unable to see the complete picture. Below are the key facts I have gathered so far:
New Certificate Enforcement: Cortex XDR enforced a new certificate because the old certificate was vulnerable to MITM (Man-in-the-Middle) attacks. The previous implementation accepted any certificate for communication as long as it was signed. To mitigate this, Palo Alto Networks now enforces a certificate issued exclusively by them, ensuring stricter validation.
Certificate Enforcement in Different Machines: In new machines, the agent certificate enforcement is enabled by default in agent settings. However, for older machines, the default setting was Disabled (Notify), requiring manual activation. Despite this, I have observed cases where both the old certificate (Trusted Root Certification Authority) and the new certificate (root.pem) are present on the same endpoint. Why does this happen?
Certificate Contents and Purpose: The certificate lists multiple well-known names such as Microsoft, Google, and DigiCert, among others. Does this imply that the certificate is used for communication beyond the Cortex XDR server?
🔹 How does communication with the Cortex XDR server differ between the old and new certificates?
🔹 Why are both the old and new certificates available on some machines?
🔹 How was the old agent certificate used for communication before the enforcement change?
🔹 Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?
Any insights on these points would be greatly appreciated.
Thanks,
03-17-2025 03:47 AM
Hello @Vinothkumar_SBA ,
To answer your questions:
How does communication with the Cortex XDR server differ between the old and new certificates?
Old Certificate
The agent uses a wildcard certificate (*.traps.paloaltonetworks.com) verified by the GoDaddy Root Certificate Authority G2.
The root CA is installed under the computer's trusted root certificate authority store.
The agent checks the roots.pem file for the root certificate and falls back to the local store if not found.
New Certificate:
roots.pem file for certificate validation, eliminating the fallback to the local store.Why are both the old and new certificates available on some machines?
The agent checks the roots.pem file for the root certificate and falls back to the local store if not found, which makes agent partially protected.
How was the old agent certificate used for communication before the enforcement change?
Explained in first point
Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?
Please confirm the attribute where it is mentioned? And also is it for Old or New certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
