08-28-2023 06:40 AM
Hello all,
I currently have an issue with my firewalls not downloading External Dynamic Lists. Seems to be a certificate profile issue that arose from migrating into Panorama. I am guessing something went wonky with importing the certs, and then pushing them back out to the devices in a device template. I am still working on that!
But can someone help me understand this concept of using a device hosted certificate to retrieve data from an SSL connection? It seems to me that the server you are connecting to has it's own certificate and that is what is being used to set up a secure connection and retrieve the data. How would my self-signed or internally CA signed certificate even be used in that conversation between the PA device and the SSL server?
08-28-2023 07:37 AM
Hi @SteveBallantyne ,
The phrase "certificate profile" in my opinion is not a very good description. Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server. It is a way to verify no one has tampered with the EDL site.
For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain. Install them on your NGFW, and add them to your certificate profile. When the NGFW goes to the EDL, it says, "Yep. That is the correct certificate." I don't see it as a critical security feature, but I like to get rid of my commit warnings.
Some versions of PAN-OS have had issues with the EDL certificate profile working. I am on 10.2.4, and they are working fine.
Thanks,
Tom
08-28-2023 07:13 AM
Maybe I am just a bonehead ... I thought that the EDL *required* a certificate profile. But I was able to change it to "None", commit, push, etc. And now the lists work fine. 🙂
Turns out that it DOESN'T make sense to use a self-signed device certificate in this case!
08-28-2023 07:37 AM
Hi @SteveBallantyne ,
The phrase "certificate profile" in my opinion is not a very good description. Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server. It is a way to verify no one has tampered with the EDL site.
For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain. Install them on your NGFW, and add them to your certificate profile. When the NGFW goes to the EDL, it says, "Yep. That is the correct certificate." I don't see it as a critical security feature, but I like to get rid of my commit warnings.
Some versions of PAN-OS have had issues with the EDL certificate profile working. I am on 10.2.4, and they are working fine.
Thanks,
Tom
08-28-2023 07:42 AM
Thank you, Tom. What you said makes perfect sense, and it also explains why in the drop-down for certificates to use inside the certificate profile are only certificates in which there is a private key.
08-28-2023 07:45 AM
Hi @SteveBallantyne ,
Probably because the only CA certificates on your NGFW contain private keys. It only allows CA certificates to be installed. You can add public CA certificates with no private key.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
