Trying to understand how a certificate profile is used for External Dynamic Lists (EDL)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Trying to understand how a certificate profile is used for External Dynamic Lists (EDL)

L2 Linker

Hello all,

I currently have an issue with my firewalls not downloading External Dynamic Lists. Seems to be a certificate profile issue that arose from migrating into Panorama. I am guessing something went wonky with importing the certs, and then pushing them back out to the devices in a device template. I am still working on that!

 

But can someone help me understand this concept of using a device hosted certificate to retrieve data from an SSL connection? It seems to me that the server you are connecting to has it's own certificate and that is what is being used to set up a secure connection and retrieve the data. How would my self-signed or internally CA signed certificate even be used in that conversation between the PA device and the SSL server?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @SteveBallantyne ,

 

The phrase "certificate profile" in my opinion is not a very good description.  Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server.  It is a way to verify no one has tampered with the EDL site.

 

For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain.  Install them on your NGFW, and add them to your certificate profile.  When the NGFW goes to the EDL, it says, "Yep.  That is the correct certificate."  I don't see it as a critical security feature, but I like to get rid of my commit warnings.

 

Some versions of PAN-OS have had issues with the EDL certificate profile working.  I am on 10.2.4, and they are working fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

L2 Linker

Maybe I am just a bonehead ... I thought that the EDL *required* a certificate profile. But I was able to change it to "None", commit, push, etc. And now the lists work fine. 🙂

 

Turns out that it DOESN'T make sense to use a self-signed device certificate in this case!

Cyber Elite
Cyber Elite

Hi @SteveBallantyne ,

 

The phrase "certificate profile" in my opinion is not a very good description.  Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server.  It is a way to verify no one has tampered with the EDL site.

 

For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain.  Install them on your NGFW, and add them to your certificate profile.  When the NGFW goes to the EDL, it says, "Yep.  That is the correct certificate."  I don't see it as a critical security feature, but I like to get rid of my commit warnings.

 

Some versions of PAN-OS have had issues with the EDL certificate profile working.  I am on 10.2.4, and they are working fine.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L2 Linker

Thank you, Tom. What you said makes perfect sense, and it also explains why in the drop-down for certificates to use inside the certificate profile are only certificates in which there is a private key.

Cyber Elite
Cyber Elite

Hi @SteveBallantyne ,

 

Probably because the only CA certificates on your NGFW contain private keys.  It only allows CA certificates to be installed.  You can add public CA certificates with no private key.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2656 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!