This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Panorama Certificate Profile Breaks Refresh

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama Certificate Profile Breaks Refresh

Go to solution
Eddie_Brown
L2 Linker

‎07-26-2018 10:22 AM

Hello Folks,

 

I have a strange scenario and am most likely missing something. 

I created a CA cert from a new Panorama template. I installed into the MineMeld server and verified the cert is showing up via google chrome. I then created a certificate profile and tied the CA cert to the profile.

I then created a new External Dynamic List with the certificate profile under one of my Device Groups and pushed it to a test device. The device fails on it's EDLRefresh task with the error "cert validation failed". I then proceed to remove the certificate profile from the EDL under my device group and push to my test device and the EDLRefresh task finishes successfully.

 

If I import the same certificate directly from my Panorama and tie it to a local certificate profile. Then create a EDL using the local certificate profile and commit the EDLRefresh job succeeds as expected.

 

Why is it when I push everything from my Panorama to the test device the job fails. But when I create everything local and import the exact same certificate that the pushed config is using it works?

I feel like I should be able to push the entire configuration from my Panorama to all of my devices. Seems like this is what Panorama is designed for. Is there some underlying issue with certificate profiles and Panorama I am missing?

 

Thanks,

Eddie

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Tim_Grossner
L3 Networker

‎07-26-2018 11:08 AM

I had a simillar problem. I fixed mine by making sure I was setting a Subject /CN=(the IP address of the Minemeld Server) in the certificate I was creating on the Palo using the CA cert. I also added an IP certificate attribute of the MM server to the cert. I then export that cert, with the private key, and import it into MM. Then, at that point, using the cert profile that uses the CA cert to verify the cert on MM successfully.

 

mm-cert-gen.PNG

 

 

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
Tim_Grossner
L3 Networker

‎07-26-2018 11:08 AM

I had a simillar problem. I fixed mine by making sure I was setting a Subject /CN=(the IP address of the Minemeld Server) in the certificate I was creating on the Palo using the CA cert. I also added an IP certificate attribute of the MM server to the cert. I then export that cert, with the private key, and import it into MM. Then, at that point, using the cert profile that uses the CA cert to verify the cert on MM successfully.

 

mm-cert-gen.PNG

 

 

0 Likes Likes

Go to solution
Tim_Grossner
L3 Networker
In response to Tim_Grossner

‎07-26-2018 11:10 AM

...oh, and then one more thing. In the cert profile, set the user domain to the IP address of MM that you used in the Subject CN of the cert.

 

certprofile.PNG

0 Likes Likes

Go to solution
Eddie_Brown
L2 Linker
In response to Tim_Grossner

‎07-26-2018 11:37 AM

You sir are a scolar and a gentleman. Now to try it with the authfeeds enabled.

0 Likes Likes
  • 1 accepted solution
  • 5508 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks