We do TLS decryption, and cutover a site to new PA-1410's running 11.0.2. While testing MS updates on endpoints, we were getting notifications that the client couldn't contact the update server. Looking in the decryption log, none of the calls to the MS URL's were trusted. I looked at the default included trusted CA's from our 820's that were are moving from, and sure enough, many of the MS root CA's are not imported into PAN-OS 11.x. I exported ones missing from our 820's and imported into the 1410's and marked them as trusted to work around this. Why would PAN not include these?
Here's the default trusted CA's from our 820's running 10.1:
Here's what was default on the 1410's:
The PA default trusted certificate authorities store is updated in major releases.
This means, it may (or may not) have different certificates in 10.1.x and in 11.0.x
You can upload the necessary certificates to the device certificate store and mark them as trusted.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!