Warnings:
External Dynamic List <list> is configured with no certificate profile.
Please select a certificate profile for performing server certificate validation.
Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL). This link is to a https site.
We followed this link:
After doing this, the warning was still there.
We had also done this:
So when we went to choose a certificate profle, there was not an option to choose one.
Because of this, we force the certificate profile via the CLI:
# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>
This resolved this issue. Then MineMeld went to update the list and there was an Auth error and the list emptied.
Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'
The customer then went back to Panorama and removed the cert profile.
We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148...
Namely the second to the last comment by: PerTenggren
After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.
Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.
Customer is wanting to not see this warning message after commits.
