Policies without certificate enforcement enabled warning message

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policies without certificate enforcement enabled warning message

L1 Bithead

Hi Team,

 

Recently I got a warning message in cortex saying that "Some of your endpoints have policies without Certificate Enforcement enabled". And by checking it further I could see that, this is to increase protection on the agent's communication by enforcing the use of root CA provided by Cortex (rather than on the local machine). 

 

It was in disabled state since I started using it and why it gives warning message now?

 

Can I get more clarity on this and what will be the impact if I enable this feature.

 

I am using Cortex XDR Version 3.9

 

Thanks in advance.

 

Cortex XDR 

22 REPLIES 22

L5 Sessionator

Hello @Aneesh ,

 

Thanks for reaching out on LiveCommunity!

 

The banner showing Some of your endpoints have policies without Certificate Enforcement enabled is by design. Notify(Disabled) will be the default setting. The main motivation is to push customers to enable (or disable) the feature and move from Notify to one of the other modes.

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil

Hi @aspatil,

 

Thanks for the speedy response.

 

I understand this but my query was,

 

It was in disabled state since I started using it and why it gives warning message now?

 

Can I get more clarity on this and what will be the impact if I enable this feature.

 

L1 Bithead

It gives also a Risk warning for Default Policy, which I cannot edit (or I don't know how).

L1 Bithead

I am also curious what is the user impact, or the impact of enabling this feature?

L5 Sessionator

Hello Everyone,


Until now, typically certificates are validated by checking the signature hierarchy;
MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in my computer's "certificates to trust" store. Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks. For this the requirement for the agent is 8.3

 

Below is the path for the supported OS, where you can find the certificate.

  • Windows – "C:\Program Files\Palo Alto Networks\Traps\config\roots.pem”
  • macOS – “/Library/Application Support/PaloAltoNetworks/Traps/config”

For example, MITM attack can be implemented, where an attacker can configure a malicious secure proxy communication that will be used by the machine, diverting and intercepting all the agent’s communication securely. The secure communication can can be achieved by using a legitimate Root certificate installed by the attacker in the machine’s Root certificate store

Not using the Local Store and only using the trusted roots.pem file, can avoid this kind of attack.

 

Talking about the impact, please find the below information:

The agent checks for the root certificate in the roots.pem. If the Root signer is not found in roots.pem, the agent will check in the machine’s local store as fallback 

If the agent can verify the certificate using one of the methods above, the communications succeeds.

Kindly find more information on enforcement levels:

aspatil_0-1709187024650.png

 

Disabled (notify) default: 

  • Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
  • All risky notification banners will show

Disabled:

  • Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
  • All risky notification banners will show

Enabled:

  • Agents starts with learning mode phase
  • Verify these 2 conditions
  1. For at least 20 minutes, agents did not fallback to the local store
  2. At least 2 successful heartbeats in the last 20 minutes
  • If succeeded, changes from learning mode to Checks 2 conditions first
  • In learning mode, agent’s operational status may show “Partially Protected”
  • Failure to pass the learning mode, agents stay in Partially protected until the feature is Disabled/disabled (notify)

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil

L5 Sessionator

Hello @Rindsland ,

You can edit the default policy and update the Agent profile with the certificate enforcement enabled.

 

 

Ashutosh Patil

Hi @aspatil 

Thank you for this explanation. Does the certificate enforcement only affect the XDR agent communication or the whole communication of the OS?

L0 Member

How do you edit the Default Agent Settings profile though?

JGrover1_0-1709232165786.png

 

Hello @micomi ,

It only affects Agent communication.

Ashutosh Patil

@JGrover1 

It talks about the policy, you can duplicate the default agent settings profile, enable the Certificate enforcement and append to all the policies which uses default Agent setting profiles.

Ashutosh Patil

L0 Member

@JGrover1 

I have the same problem that you can't adjust or delete the default profiles and the warning still appears.

Hello @aspatil, I hope you are doing well.

Do you know if is there a KB or a kind of documentation with such a level of detail that you said?

Unfortunately, the release notes of version 8.3 doesn't bring this level of detailing.

Thanks a lot for your explanation!

Regards

 

 

Hello @Silva ,

 

You can find it in Changed Features section:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Release-Notes/February-2024

Ashutosh Patil

Hello @Geismann ,

 

Would suggest you to reach out to SE or open a TAC case for more information

Ashutosh Patil
  • 8957 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!