Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-19-2018 12:08 AM
Hello,
When trying to fetch an EDL from a web server configured without support for TLSv1 (only support TLSv1.1 or 1.2) the result is "Server error : URL access error".
I don't know if PAN-OS 7.1.18 fetch client for EDL only support TLSv1. Checking ciphers compatibility for 7.1 I can't find the answer:
Thanks in advance.
Regards.
07-19-2018 04:25 AM
Is the EDL external to your network? If so, is there a security policy (and likely a nat policy) allowing the management interface of the firewall to access it? AFAIK, TLS 1.1 and 1.2 are supported
07-19-2018 10:14 AM
As @JoeAndreini stated I'm willing to bet that this is a security/nat policy issue more then anything else.
07-19-2018 10:29 AM
Hi Joe,
Thanks for your answer.
Web server is inernal and there aren't any problem if we use http instead of https or https with TLSv1 enabled
With TLSv1, 1.1 & 2 versions at web server, logs show FW is negotiating TLSv1:
[18/Jul/2018:21:32:26 +0200] *.*.*.* TLSv1 ECDHE-RSA-AES256-SHA "GET /***** HTTP/1.1" 8
But if we disable TLSv1, the result is "Server error : URL access error" when testing it from CLI.
Sorry, probably I'm not beeing clear:
1.- Web server with only TLS1.1 and TLS1.2 enabled -> result: error
2.- Web server with all TLS versions (1, 1.1 & 2) -> result: success (negotiating v1).
Aparently this is not related with policy.
Thanks!
Regards.
07-19-2018 10:40 AM
Are you using a certificate profile when you go to grab that EDL?
07-19-2018 11:07 AM
Is the Certificate signed by a trusted external CA? Make sure the root/intermediate certificates are in teh trusted root store.
07-19-2018 05:08 PM
@BPry, I think Authetication for EDL is a new feature of PAN-OS 8.0, but I'm using 7.1.18
@JoeAndreini I think that is not necesary (using 7.1). For example, I'm testing Minemeld and at this moment I'm using selfsigned certificate & MM CA. With that configuration, firewalls can fetch EDLs from MM withot having included CA at them.
I found a resolved issue:
PAN-85047 | Fixed an issue where the firewall failed to retrieve a domain list from an external dynamic list (EDL) server over a TLSv1.0 connection. |
but it is for 8.0.7 and only talks about TLSv1 (probably, not related to my initial question).
Thanks you both for your suggestions.
Regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
