This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama 8.0 - EDL & Certificate Profile

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama 8.0 - EDL & Certificate Profile

Go to solution
PerTenggren
L2 Linker

‎03-16-2017 12:48 PM

Hi all, 

 

I just ran into an issue while creating an External Dynamic List in Panorama 8.0. The source is a HTTPS address that requries a certificate profile for validation, so far so good. The problem is that I can't select any certificate profile, the list is empty. There's a certificate profile created under Device > Certificate Management > Certificate Profile for a template. 

 

Any suggestion what can be wrong or how to do this in a correct way?

 

Capture.JPG

 

Capture.JPG

 

Br,

Per Tenggren

Br.
Per Tenggren
2 people had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
PerTenggren
L2 Linker

‎03-16-2017 02:36 PM

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

Br.
Per Tenggren

View solution in original post

(1)
5 REPLIES 5

Go to solution
ansharma
L4 Transporter

‎03-16-2017 01:37 PM

Hi PerTenggren,

 

Thanks for posting in the community forums!

 

I tested this out.


Verify if the firewall is also running 8.0. I can replicate this behavior if the Panorama is 8.0 while the firewall is pre-8.0. Secondly, check from the firewall itself, if you are able to create a EDL(with https link) and associate a certificate profile. This is an excerpt from the Admin Guide of the Panorama:

 

If the external dynamic list has an HTTPS URL, select an existing certificate profile (firewall and Panorama) or create a new Certificate Profile (firewall only) for authenticating the web server that hosts the list. For more information on configuring a certificate profile, see Device > Certificate Management > Certificate Profile.
Default: None (Disable Cert profile)
To maximize the number of external dynamic lists that you can use to enforce policy, use the same certificate profile to authenticate external dynamic lists that use the same source URL so that the lists count as only one external dynamic list. External dynamic lists from the same source URL that use different certificate profiles are counted as unique external dynamic lists.

 

Hope this helps.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎03-16-2017 01:40 PM

First guess would be that you are missing the intermediate cert on your cert profile. The full chain needs to be included ...because reasons 😉 

0 Likes Likes

Go to solution
PerTenggren
L2 Linker

‎03-16-2017 02:36 PM

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

Br.
Per Tenggren
(1)

Go to solution
ansharma
L4 Transporter
In response to PerTenggren

‎03-16-2017 02:46 PM

Tested that and yes, you are correct! This makes sense to me, as it cannot check whether it's present on a particular device group or not, within a configuration piece.
================================================================
ACE 7.0, 8.0, PCNSE 7

Go to solution
ice-quake
L2 Linker

‎01-04-2019 12:47 PM - edited ‎01-04-2019 12:50 PM

I ran into the same issue.  Seems to be a design issue depending on your device group hierarchy.  In my case my firewalls are in a DG under an organizational DG.  For example shared > datacenter firewalls > data center A.  The issue is that I am managing security policy in the "datacenter firewalls" DG, which doesn't have any devices assigned to it - this is the issue.   But I'm not able to create an EDL in the "datacenter firewalls" DG and reference a cert file from the template.  I hope Palo dev fixes this.

 

  • 1 accepted solution
  • 14856 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks