Warnings: External Dynamic List <list> is configured with no certificate profile.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Warnings: External Dynamic List <list> is configured with no certificate profile.

L4 Transporter

Warnings:

External Dynamic List <list> is configured with no certificate profile.

Please select a certificate profile for performing server certificate validation.

 

Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL).  This link is to a https site. 

We followed this link:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...

 

After doing this, the warning was still there.

We had also done this:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/disable-authentication-for-an...

 

So when we went to choose a certificate profle, there was not an option to choose one.

minemeldcertprof.JPG

 

 

Because of this, we force the certificate profile via the CLI:

# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>

 

This resolved this issue.  Then MineMeld went to update the list and there was an Auth error and the list emptied.

Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'

 

 

The customer then went back to Panorama and removed the cert profile.

 

We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148...

 

Namely the second to the last comment by: PerTenggren

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

 

Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.

 

 

 

Customer is wanting to not see this warning message after commits.

 

17 REPLIES 17

WOW!

I even open a case that went to up the chain to the dev team and was told that with 10.2.3 it was going to be fixed!

@andrey11 AMAZING instructions!

THANK YOU!!!

5*'s!

This process working, proves the platform can do it, but the pointers/database/code need to be looked at for the GUI.

Palo Alto Needs to hire you! (:

thanks again!

Alternatively, you can just type in the certificate profile without moving the edl around device groups..... for some reason.

 

For example we use some of the Palo Alto maintained edls (EDL Hosting Service (paloaltonetworks.com)) and we named the certificate profile, "PaloAlto-EDL-Cert-Profile", I can manually type that in the shared edl even though its not an option in the drop down menu. I dont know how this works but Palo cant make it appear in the drop down menu 

Follow up:

Still not fixed in the newer vesions, running the latest 11.x code and still not fixed.

In addition, stacking manualy into 1 txt file all the certifficate chain no longer works.

this is what i did to make it work.

 

1. go to firefox (chrome doesn't give you the options below) and pull up  the https URL where the list is published.

 

in firefox, pull up the certificate and download the pem file for each of the certs in the chain (pem)

miguelMA_0-1690566356298.png

2. Then got to panorama and IMPORT in the share each certificate.

committ push

3. Then go to the individual device template and build a local certificate profile that uses/references the individually shared certificates

commit push

4. then go to the created certifiate profile and clone it to SHARE.

committ push

5. delete the individual local profile.

6. build the new external dynamic list object usign the same URL as step 1.

7. the new certifiate profile will now be available to use in the new shared external dyanmic list dropdown.

 

This used to work by using a single certificate that was manually stacked and saved as one certificate but it seeems that is no longer the case.

 

Hope this helps someone outthere and keeps some of the pain away (:

 

 

  • 49032 Views
  • 17 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!