SSL Certificate Profiles - PANOS External Dynamic Lists

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Certificate Profiles - PANOS External Dynamic Lists

L0 Member

I'm running into an issue with external dynamic list threat feeds while using panos 8, the problem being is it seems they introduced a great feature to validate and authentication SSL sources by validating the signing CA for the threat feeds that can induce access rule entries. This is great although the problem I'm facing is the implementation of the new safe guard features requiring the enforcement to be controlled locally to the firewall. What!! that is great if you manage 1 firewall but my organization has close to a dozen or more Palo devices that we manage with Panorama. Making the requirement to manage ACL's based on the local firewall rules completely changes the architecture we have in place prior to panos 8. Our pre shared and device group ACLs we used to safe guard against our prioritized risk blacklist,  while using Minemeld have be altered. We can no longer utilize Minemeld threat intelligence feeds at this level (panorama ACL processing level) with PanOS 8.  Since our pre firewall rules are process before our locally firewall rules are blacklist rule that is processed at panorama pre-shared is no longer affective. We have been in the past providing a large threat feed from minemeld into this ACL to blacklist malicous IP's and aggregate other third party feeds into this protection method.
 
Please tell me I have my PANOS logic wrong?


Tim

4 REPLIES 4

L2 Linker

Did you find a solution for this? I am seeing same problem.

 

I can not use  SSL profile i choose on Panorama so regardles what i do indidiaul firewall does not know about the SSL profie.

@akapucu

Try to configure the EDL in the devicegroup where you actually have the firewalls attached. This probably means that you have to configure the same EDL multiple times in panorama, but it at least works without configuring them locally. (I even had to configure it multiple times per firewall as the different vsys aren't in the same device groups)

Yeah, this is a pain.  Somehow, panorama should be able to view that profile throughout, but instead, does not, and you have to manually configure/change on every device group....Maybe a feature request moving forward?

Depending on your security requirements there is a solution with panorama 8.1 - there you can choose no cert profile...

  • 2920 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!