- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-27-2024 09:47 PM
Hi Team,
Recently I got a warning message in cortex saying that "Some of your endpoints have policies without Certificate Enforcement enabled". And by checking it further I could see that, this is to increase protection on the agent's communication by enforcing the use of root CA provided by Cortex (rather than on the local machine).
It was in disabled state since I started using it and why it gives warning message now?
Can I get more clarity on this and what will be the impact if I enable this feature.
I am using Cortex XDR Version 3.9
Thanks in advance.
02-27-2024 10:28 PM
Hello @Aneesh ,
Thanks for reaching out on LiveCommunity!
The banner showing Some of your endpoints have policies without Certificate Enforcement enabled
is by design. Notify(Disabled) will be the default setting. The main motivation is to push customers to enable (or disable) the feature and move from Notify to one of the other modes.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
02-28-2024 12:58 AM
Hi @aspatil,
Thanks for the speedy response.
I understand this but my query was,
It was in disabled state since I started using it and why it gives warning message now?
Can I get more clarity on this and what will be the impact if I enable this feature.
02-28-2024 06:07 PM
I am also curious what is the user impact, or the impact of enabling this feature?
02-28-2024 10:13 PM
Hello Everyone,
Until now, typically certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in my computer's "certificates to trust" store. Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks. For this the requirement for the agent is 8.3
Below is the path for the supported OS, where you can find the certificate.
For example, MITM attack can be implemented, where an attacker can configure a malicious secure proxy communication that will be used by the machine, diverting and intercepting all the agent’s communication securely. The secure communication can can be achieved by using a legitimate Root certificate installed by the attacker in the machine’s Root certificate store
Not using the Local Store and only using the trusted roots.pem file, can avoid this kind of attack.
Talking about the impact, please find the below information:
The agent checks for the root certificate in the roots.pem. If the Root signer is not found in roots.pem, the agent will check in the machine’s local store as fallback
If the agent can verify the certificate using one of the methods above, the communications succeeds.
Kindly find more information on enforcement levels:
Disabled (notify) default:
Disabled:
Enabled:
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
02-28-2024 10:14 PM
Hello @Rindsland ,
You can edit the default policy and update the Agent profile with the certificate enforcement enabled.
02-29-2024 05:30 AM
Hi @aspatil
Thank you for this explanation. Does the certificate enforcement only affect the XDR agent communication or the whole communication of the OS?
03-01-2024 12:03 AM
It talks about the policy, you can duplicate the default agent settings profile, enable the Certificate enforcement and append to all the policies which uses default Agent setting profiles.
03-04-2024 10:44 AM
Hello @aspatil, I hope you are doing well.
Do you know if is there a KB or a kind of documentation with such a level of detail that you said?
Unfortunately, the release notes of version 8.3 doesn't bring this level of detailing.
Thanks a lot for your explanation!
Regards
03-04-2024 09:10 PM
Hello @Silva ,
You can find it in Changed Features section:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Release-Notes/February-2024
03-04-2024 09:11 PM
Hello @Geismann ,
Would suggest you to reach out to SE or open a TAC case for more information
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!