11-18-2023 01:56 PM
Hi Guys,
I can’t use my SaaS EDLs in Prisma. It works fine on-prem, but in Prisma the list contains 0.0.0.0/0 entry.
When I remove certificate profile, it work well.
I configured decryption exclusion for Prisma Infra subnet as I had decryption errors for Palo SaaS URL.
i did not configure any security policy from infra subnet to internet (but EDL without cert profile works).
I use the EDL in security & decryption policy.
Kind Regards,
11-19-2023 02:26 AM
Hi @VTQNetwork ,
Check and see if you have certificate profile errors under Monitor > Logs > System with the filter ( subtype eq tls ). I have seen an undocumented bug where the EDL server certificate authentication fails with various versions of PAN-OS. I am currently on 10.2.4 and 5, which works fine. There is also a chance where the certificate profile fails because the wrong certificates or an incomplete chain are in the profile.
Thanks,
Tom
11-20-2023 03:51 AM - edited 11-20-2023 03:53 AM
Thank you for reply @TomYoung
Indeed, I had cert errors in System logs until Saturday:
EDL server certificate authentication failed. A local copy of associated external dynamic list will be used, so it won't impact your policy. EDL Name: SaaS-EDL-Microsoft-Defender-EU-URL, EDL Source URL: https://saasedl.paloaltonetworks.com/feeds/msdefender/eu/microsoftdefenderforendpointeu/url, CN: saasedl.paloaltonetworks.com, Reason: self signed certificate in certificate chain
Since I've configured decryption exclusion for Prisma's Infrastructure subnet, I don't have these errors, but EDLs still does not work.
Please note my issue is in Prisma Access. The same certificate profile works fine for my on-prem firewalls.
Root CA I use and the procedure I've followed is described here:
I'm on Panorama managed Prisma, my Panorama versionn is 11.0.2-h2 and the plugin cloud_services-4.1.0.
Kind Regards,
Kacper
11-21-2023 02:26 AM
Hi @VTQNetwork ,
Thank you for the information! The message that concerns me is "Reason: self signed certificate in certificate chain." That may indicate that the certificate profile in Prisma Access is different than the one on your on-prem firewalls.
Thanks,
Tom
11-21-2023 05:04 AM
Hi @TomYoung ,
Yeah, I was also surprised when saw this message. I suppose there is some decryption for Prisma Infra. I've configured decryption exclusion. Now I do not have the error anymore, but my EDL with cert profile still does not work as expected.
According to Palo's manual, the same cert should be used for both on-prem & Prisma, but maybe additional policies/cert is required for Prisma Infra network.
I'm waiting for the TAC and update this thread. So far we've reinstalled certificate twice (I use cert from Palo), they suggested to change url (I use url from Palo).
Kind Regards,
Kacper
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
