This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Policies without certificate enforcement enabled warning message

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Policies without certificate enforcement enabled warning message

Aneesh
L1 Bithead

‎02-27-2024 09:47 PM

Hi Team,

 

Recently I got a warning message in cortex saying that "Some of your endpoints have policies without Certificate Enforcement enabled". And by checking it further I could see that, this is to increase protection on the agent's communication by enforcing the use of root CA provided by Cortex (rather than on the local machine). 

 

It was in disabled state since I started using it and why it gives warning message now?

 

Can I get more clarity on this and what will be the impact if I enable this feature.

 

I am using Cortex XDR Version 3.9

 

Thanks in advance.

 

Cortex XDR 

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
3 people had this problem.
0 Likes Likes
22 REPLIES 22

aspatil
L5 Sessionator

‎02-27-2024 10:28 PM

Hello @Aneesh ,

 

Thanks for reaching out on LiveCommunity!

 

The banner showing Some of your endpoints have policies without Certificate Enforcement enabled is by design. Notify(Disabled) will be the default setting. The main motivation is to push customers to enable (or disable) the feature and move from Notify to one of the other modes.

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil
0 Likes Likes

Aneesh
L1 Bithead
In response to aspatil

‎02-28-2024 12:58 AM

Hi @aspatil,

 

Thanks for the speedy response.

 

I understand this but my query was,

 

It was in disabled state since I started using it and why it gives warning message now?

 

Can I get more clarity on this and what will be the impact if I enable this feature.

 

Rindsland
L1 Bithead

‎02-28-2024 01:46 AM

It gives also a Risk warning for Default Policy, which I cannot edit (or I don't know how).

0 Likes Likes

Blake_Volk
L1 Bithead

‎02-28-2024 06:07 PM

I am also curious what is the user impact, or the impact of enabling this feature?

0 Likes Likes

aspatil
L5 Sessionator

‎02-28-2024 10:13 PM

Hello Everyone,


Until now, typically certificates are validated by checking the signature hierarchy; MyCert is signed by IntermediateCert which is signed by RootCert, and RootCert is listed in my computer's "certificates to trust" store. Enabling the feature, makes the agent not to use the Local Root CA certificate Store anymore and use only the pinned roots.pem certificate file, this way protecting from Man In The Middle (MITM) attacks. For this the requirement for the agent is 8.3

 

Below is the path for the supported OS, where you can find the certificate.

  • Windows – "C:\Program Files\Palo Alto Networks\Traps\config\roots.pem”
  • macOS – “/Library/Application Support/PaloAltoNetworks/Traps/config”

For example, MITM attack can be implemented, where an attacker can configure a malicious secure proxy communication that will be used by the machine, diverting and intercepting all the agent’s communication securely. The secure communication can can be achieved by using a legitimate Root certificate installed by the attacker in the machine’s Root certificate store

Not using the Local Store and only using the trusted roots.pem file, can avoid this kind of attack.

 

Talking about the impact, please find the below information:

The agent checks for the root certificate in the roots.pem. If the Root signer is not found in roots.pem, the agent will check in the machine’s local store as fallback 

If the agent can verify the certificate using one of the methods above, the communications succeeds.

Kindly find more information on enforcement levels:

aspatil_0-1709187024650.png

 

Disabled (notify) default: 

  • Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
  • All risky notification banners will show

Disabled:

  • Agents use using the computer’s Trusted Root Certification Authority Store (aka Local Store)
  • All risky notification banners will show

Enabled:

  • Agents starts with learning mode phase
  • Verify these 2 conditions
  1. For at least 20 minutes, agents did not fallback to the local store
  2. At least 2 successful heartbeats in the last 20 minutes
  • If succeeded, changes from learning mode to Checks 2 conditions first
  • In learning mode, agent’s operational status may show “Partially Protected”
  • Failure to pass the learning mode, agents stay in Partially protected until the feature is Disabled/disabled (notify)

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Ashutosh Patil
(1)

aspatil
L5 Sessionator

‎02-28-2024 10:14 PM

Hello @Rindsland ,

You can edit the default policy and update the Agent profile with the certificate enforcement enabled.

 

 

Ashutosh Patil
0 Likes Likes

micomi
L2 Linker
In response to aspatil

‎02-29-2024 05:30 AM

Hi @aspatil 

Thank you for this explanation. Does the certificate enforcement only affect the XDR agent communication or the whole communication of the OS?

0 Likes Likes

JGrover1
L0 Member

‎02-29-2024 10:43 AM

How do you edit the Default Agent Settings profile though?

JGrover1_0-1709232165786.png

 

0 Likes Likes

aspatil
L5 Sessionator
In response to micomi

‎03-01-2024 12:02 AM

Hello @micomi ,

It only affects Agent communication.

Ashutosh Patil

aspatil
L5 Sessionator
In response to JGrover1

‎03-01-2024 12:03 AM

@JGrover1 

It talks about the policy, you can duplicate the default agent settings profile, enable the Certificate enforcement and append to all the policies which uses default Agent setting profiles.

Ashutosh Patil
0 Likes Likes

Geismann
L0 Member

‎03-01-2024 04:57 AM

@JGrover1 

I have the same problem that you can't adjust or delete the default profiles and the warning still appears.

0 Likes Likes

Silva
L1 Bithead
In response to aspatil

‎03-04-2024 10:44 AM

Hello @aspatil, I hope you are doing well.

Do you know if is there a KB or a kind of documentation with such a level of detail that you said?

Unfortunately, the release notes of version 8.3 doesn't bring this level of detailing.

Thanks a lot for your explanation!

Regards

 

 

0 Likes Likes

aspatil
L5 Sessionator
In response to Silva

‎03-04-2024 09:10 PM

Hello @Silva ,

 

You can find it in Changed Features section:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Release-Notes/February-2024

Ashutosh Patil

aspatil
L5 Sessionator
In response to Geismann

‎03-04-2024 09:11 PM

Hello @Geismann ,

 

Would suggest you to reach out to SE or open a TAC case for more information

Ashutosh Patil
0 Likes Likes
  • 8315 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks