I am dealing with an issue in which the Palo Alto is in proxy mode. The issue is concerning endpoints being able to access a cloud tenant to register (install) a component.. The FQDN of the cloud tenant has been added as an allowance for these endpoints, they are member servers that have exceptions made for Internet access to certain sites. Multiple endpoints within my org are able to register to the tenant, so I don't believe that there is an over-arching issue with the proxy. That being said, the tenant provider has a requirement for two GoDaddy certs to be present on the endpoints to allow for registration (install) of the tenant's cloud component. On the endpoints themselves, both of the GoDaddy certs are present within their local certificate stores. However on the Palo Alto proxy, there is only one GoDaddy cert listed within the Device's "Default Trusted Certificate Authorities" list. Would anyone know if both GoDaddy certs would need to be in this list as well?
If you attempt to hit the registration URL does your endpoint actually trust the certificate being presented? Have you enabled interzone-default logging and verified that endpoints seeing the registration issue don't have any associated denied traffic?
As a test to ensure that decryption is actually an issue, I would temporarily exclude one of the endpoints that are failing to register and see if it actually registers properly or not when you try again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!