Palo-hosted EDL empty when using certificate profile

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo-hosted EDL empty when using certificate profile

L1 Bithead

Hi Guys,

I can’t use my SaaS EDLs in Prisma. It works fine on-prem, but in Prisma the list contains 0.0.0.0/0 entry.

 

When I remove certificate profile, it work well.

I configured decryption exclusion for Prisma Infra subnet as I had decryption errors for Palo SaaS URL.

 

i did not configure any security policy from infra subnet to internet (but EDL without cert profile works).

 


I use the EDL in security & decryption policy.

 

Kind Regards,

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @VTQNetwork ,

 

Check and see if you have certificate profile errors under Monitor > Logs > System with the filter ( subtype eq tls ).  I have seen an undocumented bug where the EDL server certificate authentication fails with various versions of PAN-OS.  I am currently on 10.2.4 and 5, which works fine.  There is also a chance where the certificate profile fails because the wrong certificates or an incomplete chain are in the profile.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Thank you for reply @TomYoung

Indeed, I had cert errors in System logs until Saturday:

 

EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: SaaS-EDL-Microsoft-Defender-EU-URL, EDL Source URL: https://saasedl.paloaltonetworks.com/feeds/msdefender/eu/microsoftdefenderforendpointeu/url, CN: saasedl.paloaltonetworks.com, Reason: self signed certificate in certificate chain

 

Since I've configured decryption exclusion for Prisma's Infrastructure subnet, I don't have these errors, but EDLs still does not work.

 

Please note my issue is in Prisma Access. The same certificate profile works fine for my on-prem firewalls.

 

Root CA I use and the procedure I've followed is described here:

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

I'm on Panorama managed Prisma, my Panorama versionn is 11.0.2-h2 and the plugin cloud_services-4.1.0.

 

Kind Regards,

Kacper

 

 

Cyber Elite
Cyber Elite

Hi @VTQNetwork ,

 

Thank you for the information!  The message that concerns me is "Reason: self signed certificate in certificate chain."  That may indicate that the certificate profile in Prisma Access is different than the one on your on-prem firewalls.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hi @TomYoung ,

 

Yeah, I was also surprised when saw this message. I suppose there is some decryption for Prisma Infra. I've configured decryption exclusion. Now I do not have the error anymore, but my EDL with cert profile still does not work as expected.

 

According to Palo's manual, the same cert should be used for both on-prem & Prisma, but maybe additional policies/cert is required for Prisma Infra network.

 

I'm waiting for the TAC and update this thread. So far we've reinstalled certificate twice (I use cert from Palo), they suggested to change url (I use url from Palo).

 

Kind Regards,

Kacper 

  • 599 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!