Policies without certificate enforcement enabled warning message

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policies without certificate enforcement enabled warning message

L1 Bithead

Hi Team,

 

Recently I got a warning message in cortex saying that "Some of your endpoints have policies without Certificate Enforcement enabled". And by checking it further I could see that, this is to increase protection on the agent's communication by enforcing the use of root CA provided by Cortex (rather than on the local machine). 

 

It was in disabled state since I started using it and why it gives warning message now?

 

Can I get more clarity on this and what will be the impact if I enable this feature.

 

I am using Cortex XDR Version 3.9

 

Thanks in advance.

 

Cortex XDR 

22 REPLIES 22

Hi @aspatil thanks for your answer.

You described the changes about local and Palo Alto certificates with too much clarity upper in this post. 

However, I couldn't find these details in the Changes Features section of the Release Information, like:

  1. For at least 20 minutes, agents did not fallback to the local store
  2. At least 2 successful heartbeats in the last 20 minutes

The release note doesn't mention it, also doesn't mention several other things you said in the post here:

 

brucsilva_0-1709658030939.png

 

So where did find it?
PS: I'm new with Palo Alto and Cortex, so I'm having a little difficulty finding good and reliable information

Hi @aspatil,

 

Thanks for the explanation.

Could you please clarify the steps involved in 'enabled' state for better understanding.

 

Thanks in advance.

Aneesh.

L5 Sessionator

Hello @Aneesh ,

 

Could you confirm which steps are you asking about. The complete information has been shared with what Enable means? 

 

If you are looking for how to enable it, Please follow below instructions:

1. Endpoints-> Policy Management-> Prevention Profile

2. Edit all the Agent setting profiles and under Agent Certificate section enable it

Ashutosh Patil

Hi @aspatil,

I was referring to the steps in enabled state which you have mentioned in your reply.

 

please find the below snip for your reference.

Aneesh_0-1709715236730.png

Thanks in advance.

Aneesh

 

L1 Bithead

Like a few here, I have no issue with the change and editing my custom Prevention profiles, but how does one edit the Default profiles to make this change? They do not appear to be editable but are associated with the risk. How do we edit those default Prevention Profiles to change the agent certificate setting? 

 

ScottCloster_0-1710362439934.png

 

L2 Linker

Hi Guys,

Im also affected with those warning msgs. 

My question is, If I change the agent settings to enable. Do we have to tweak/Upload any certificates at XDR portal or in endpoints?

 

Thanks

L4 Transporter

In my company, we have certificates on everything (with subCA, rootCa etc), when using this, will we have problems with the certificates used in our domain, or is this just a certificate for the Agent XDR to communicate with the XDR tenant?

Best regards
Tiago Marques

L0 Member

Hi Everyone,

 

To get the warning to go away, you have to assign the default "Policy Rule" Windows Default and macOS Default an "Agent Settings" profile that does not have the Disabled (Notify) setting enabled.

 

Thanks,
Eric

  • 8919 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!