Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-02-2023 11:56 AM
Hi,
Having issues with EDL and certificates. Followed the best practices, and believe everything is set properly.
running pa-8xx clusters running 10.1.9h3, all have the same issue
opendbl.net cert chain is imported and set both root and intermediate in the cert profile. opendbl EDL created, cert profile attached and outbound policy applied.
Anyone run into the following errors? Thanks for any advice.
Example from system monitor logs:
EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: Blocklist.de All, EDL Source URL: https://opendbl.net/lists/blocklistde-all.list, CN: opendbl.net, Reason: unable to get local issuer certificate
EDL(Blocklist.de All) No changes to authentication status, still failing.
05-04-2023 02:53 PM
Hello,
I would say bypass decryption for those url's.
Regards,
05-05-2023 07:13 AM
Hi,
Thanks, tested and works without using cert. Couldn't find a solution that works with cert, so will just continue using http only.
Regards
06-30-2023 10:24 AM - edited 11-15-2023 12:36 PM
Hi @orbcomm ,
I opened a TAC case on this issue, and the certificate is working with 10.2.4-h2. I have seen this issue come and go with different versions. I think it is a bug that is not listed.
If I don't use a certificate profile for the EDL, I get commit warnings. I use Panorama to push my configs, and I want to see "commit succeeded" for all my NGFWs. If I get "commit succeeded with warnings" then I have to drill down into every NGFW. Bottom line: I get rid of all my commit warnings. Besides, a certificate profile is more secure.
Thanks,
Tom
PS It was not working in 10.1.9-h3.
06-30-2023 10:37 AM - edited 06-30-2023 10:37 AM
Hi @TomYoung,
Thanks for the heads up. I see 10.1.10 was just recently released, will try that, if not working will think about upgrading to 10.2 release. Would like to be on the secure side as well.
Regards
11-15-2023 03:08 AM
I have run into the same weird problem, we are running variants of OS 10.1.9 and can't figure out what the issue is. Interestingly, this was working on the current OS not too long ago and only stopped working after we had to update the certificate chain (EDL URL updated their certificates).
TAC hasn't been able to help at all so I am thinking about upgrading to the current preferred release which is 10.1.10-h2 for our base version.
11-15-2023 11:53 AM
Hi @szaidi110 I continue to use non-ssl, I have upgraded to 10.2.6 on firewalls with EDL, and planning to test ssl again, just haven't had a change window yet. If you can, non-ssl works until upgrade test.
11-15-2023 12:37 PM
Hi @orbcomm ,
Mine continues to work fine on 10.2.4-h2 and 10.2.5.
Thanks,
Tom
11-15-2023 12:42 PM
Excellent, thanks for the feedback @TomYoung
11-22-2023 06:54 AM
InfoSec would raise a flag if I bypass the cert authentication so that isn't really a choice. I guess I'll just update my firewalls to 10.2.X and see how it goes
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
