This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Warnings: External Dynamic List <list> is configured with no certificate profile.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Warnings: External Dynamic List <list> is configured with no certificate profile.

Go to solution
DaBone
L5 Sessionator

‎08-07-2017 09:12 AM

Warnings:

External Dynamic List <list> is configured with no certificate profile.

Please select a certificate profile for performing server certificate validation.

 

Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL).  This link is to a https site. 

We followed this link:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...

 

After doing this, the warning was still there.

We had also done this:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/disable-authentication-for-an...

 

So when we went to choose a certificate profle, there was not an option to choose one.

minemeldcertprof.JPG

 

 

Because of this, we force the certificate profile via the CLI:

# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>

 

This resolved this issue.  Then MineMeld went to update the list and there was an Auth error and the list emptied.

Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'

 

 

The customer then went back to Panorama and removed the cert profile.

 

We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148...

 

Namely the second to the last comment by: PerTenggren

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

 

Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.

 

 

 

Customer is wanting to not see this warning message after commits.

 

24 people had this problem.
1 accepted solution

Accepted Solutions

Go to solution
FarzanaMustafa
L4 Transporter
In response to mteachout

‎02-27-2019 06:29 PM

I also faced same issue. TAC has advised to try this.

 

As far as EDL warning is concerned, cert profile need to be configured to verify server certificate using CA that signed CA cert.

There are two ways to resolve warning

1) use http instead of https to connect to webserver in EDL config
2) Or, configure cert profile using root CA that signed web server cert, Global sign in this case and use it in cert profile under EDL.

View solution in original post

17 REPLIES 17

Go to solution
lmori
L7 Applicator

‎08-08-2017 10:57 AM

Hi @DaBone,

this looks a problem with the configuration of PAN-OS and Panorama, have you opened a ticket to Palo Alto Networks TAC ?

 

Thanks,

luigi

Go to solution
lgiancaterini
L2 Linker
In response to lmori

‎08-08-2017 12:30 PM

Hi @DaBone,

 

Are you trying to push Certificates and profiles from Panorama to the FW's? If you have Device Group parent with policies defined and child DG's with firewalls, you will need to put a fake serial number in the parent DG and the same fake serial number in the template that you have the certificates in.

 

Make sure you have enough device licenses in Panorama to add this fake serial number. When you commit the changes to Panorama and then push the DG and Template changes to the firewall, you should see the certificate and profile in your firewalls to make your EDL's.

 

LG.

Go to solution
Mike.ship
L1 Bithead
In response to lgiancaterini

‎01-19-2018 12:09 PM

Has any one been able to verify if the workaround suggested by LG resolves the issue?

0 Likes Likes

Go to solution
oschuler
L4 Transporter
In response to Mike.ship

‎09-18-2018 11:24 PM

We also setup EDLs in the "shared" device-group and we're unable to attach a cert-profile to those EDLs. However, if we clone that EDL into a device-group leaf we get to chose a cert-profile.

 

It's not really an option for us to clone an EDL into each device-group. We also had to build individual security rules this way. So we keep the shared EDL for now, without any cert-profile attached. 

 

(we're running v8.1.3 of Panorama)

Go to solution
DrJonBane
L3 Networker
In response to oschuler

‎12-04-2018 06:44 AM

Same issue here.  This is another example of the limitations between device-groups and templates. This really needs to be addressed.

Go to solution
erikda
L2 Linker

‎02-01-2019 02:46 AM

Any news regarding this issue?

0 Likes Likes

Go to solution
lmori
L7 Applicator
In response to erikda

‎02-07-2019 12:09 AM

Hi @erikda@DaBone,

do you have a case open with TAC about this? I would like to bring the discussion to our Product Management

Go to solution
fwmike
L2 Linker
In response to lmori

‎02-07-2019 08:08 AM

@lmori

 

My case 01048381.

0 Likes Likes

Go to solution
DaBone
L5 Sessionator
In response to lmori

‎02-15-2019 08:31 AM - edited ‎02-15-2019 08:32 AM

@lmori

Sorry I forgot about this post.  

00717965 case, it is now resolved.

0 Likes Likes

Go to solution
mteachout
L0 Member
In response to DaBone

‎02-18-2019 10:31 AM

What was the fix? Is it something you had to change or is it included in a later release?

0 Likes Likes

Go to solution
FarzanaMustafa
L4 Transporter
In response to mteachout

‎02-27-2019 06:29 PM

I also faced same issue. TAC has advised to try this.

 

As far as EDL warning is concerned, cert profile need to be configured to verify server certificate using CA that signed CA cert.

There are two ways to resolve warning

1) use http instead of https to connect to webserver in EDL config
2) Or, configure cert profile using root CA that signed web server cert, Global sign in this case and use it in cert profile under EDL.

Go to solution
andrew571
L1 Bithead
In response to FarzanaMustafa

‎10-28-2019 08:52 AM

The real issue with the use of certificate profiles on external dynamic lists is that the firewall administrator has no control over the actions of 3rd party external dynamic list providers.

  • The list provider might force you to use HTTPS.
  • The list provider is free to choose whichever SSL Certificate provider they want.
  • If the certificate profile becomes invalid due to SSL certificate provider change, the list empties out, and you have no notification of this.
  • So, how exactly does this provide security if it suddenly fails open?
  • The GUI's "None (Disable Cert profile)" is a misnomer since it doesn't disable it to the point of no longer warning on policy commit.

A proper fix would be that "None (Disable Cert profile)" does what it says it will do which is to not use it and by disabled means it won't warn about it either.

 

 

Go to solution
Tobi
L2 Linker

‎03-29-2022 02:08 AM

Unfortunately I still cannot attach a cert-profile to my "shared" EDLs under PAN-OS 9.1. Is this fixed with version 10 or 10.1?

0 Likes Likes

Go to solution
andrey11
L1 Bithead

‎04-25-2022 07:11 AM

You can try following:

 

1. Push Certificate Profile via template to all firewalls.
2. Create the required EDL with the certificate profile on any device group
3. Commit and Push
4. Clone the EDL from the device group as a shared EDL.
5. You can then select the Certificate Profile in the Shared EDL.

NGFW-Lover
(1)
  • 1 accepted solution
  • 55025 Views
  • 17 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks