Cortex xdr agent certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex xdr agent certificate

L3 Networker

Hi all,

I have some doubts regarding the Cortex XDR agent certificate. I have gone through multiple blogs, which provided some insights, but I am still unable to see the complete picture. Below are the key facts I have gathered so far:

  1. New Certificate Enforcement: Cortex XDR enforced a new certificate because the old certificate was vulnerable to MITM (Man-in-the-Middle) attacks. The previous implementation accepted any certificate for communication as long as it was signed. To mitigate this, Palo Alto Networks now enforces a certificate issued exclusively by them, ensuring stricter validation.

  2. Certificate Enforcement in Different Machines: In new machines, the agent certificate enforcement is enabled by default in agent settings. However, for older machines, the default setting was Disabled (Notify), requiring manual activation. Despite this, I have observed cases where both the old certificate (Trusted Root Certification Authority) and the new certificate (root.pem) are present on the same endpoint. Why does this happen?

  3. Certificate Contents and Purpose: The certificate lists multiple well-known names such as Microsoft, Google, and DigiCert, among others. Does this imply that the certificate is used for communication beyond the Cortex XDR server?

Questions I Need Clarified: 

🔹 How does communication with the Cortex XDR server differ between the old and new certificates?
🔹 Why are both the old and new certificates available on some machines?
🔹 How was the old agent certificate used for communication before the enforcement change?

🔹 Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?

Any insights on these points would be greatly appreciated.

 

Thanks,

1 REPLY 1

L5 Sessionator

Hello @Vinothkumar_SBA ,

 

To answer your questions:

 How does communication with the Cortex XDR server differ between the old and new certificates?

Old Certificate

The agent uses a wildcard certificate (*.traps.paloaltonetworks.com) verified by the GoDaddy Root Certificate Authority G2.
The root CA is installed under the computer's trusted root certificate authority store.
The agent checks the roots.pem file for the root certificate and falls back to the local store if not found.

New Certificate:

  • The agent will solely rely on the roots.pem file for certificate validation, eliminating the fallback to the local store.
  • This change mitigates MITM attacks where an attacker could use a legitimate root certificate installed in the machine's root certificate store to intercept communications.

Why are both the old and new certificates available on some machines?

The agent checks the roots.pem file for the root certificate and falls back to the local store if not found, which makes agent partially protected.

 

How was the old agent certificate used for communication before the enforcement change?

Explained in first point

 

 Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?

Please confirm the attribute where it is mentioned? And also is it for Old or New certificate.

Ashutosh Patil
  • 181 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!