cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Warnings: External Dynamic List <list> is configured with no certificate profile.

L5 Sessionator

Warnings:

External Dynamic List <list> is configured with no certificate profile.

Please select a certificate profile for performing server certificate validation.

 

Customer went from 7.1.x to now 8.0.x and is using a MineMeld link in the External Dynami List(EDL).  This link is to a https site. 

We followed this link:

https://live.paloaltonetworks.com/t5/MineMeld-Articles/How-to-Generate-New-MineMeld-HTTPS-Cert/ta-p/...

 

After doing this, the warning was still there.

We had also done this:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/disable-authentication-for-an...

 

So when we went to choose a certificate profle, there was not an option to choose one.

minemeldcertprof.JPG

 

 

Because of this, we force the certificate profile via the CLI:

# set shared external-list Minemeld-Office-365-IP type ip certificate-profile <cert profile>

 

This resolved this issue.  Then MineMeld went to update the list and there was an Auth error and the list emptied.

Error:
description contains 'EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: Minemeld-Office-365-IP, EDL Source URL: https://10.x.xxx.xx/feeds/office365_IPv4s, CN: norminemeld, Reason: SSL peer certificate or SSH remote key was not OK'

 

 

The customer then went back to Panorama and removed the cert profile.

 

We have also looked at this post:
https://live.paloaltonetworks.com/t5/General-Topics/Panorama-8-0-EDL-amp-Certificate-Profile/m-p/148...

 

Namely the second to the last comment by: PerTenggren

After further investigation it seems that EDL created as "shared" can't list any certificate profile, but it works if assigning the EDL to a specific device group.

 

Customer said that: All of our policies that reference the Minemeld external dynamic list are Shared (global) in nature and cannot see a local EDL.

 

 

 

Customer is wanting to not see this warning message after commits.

 

Who Me Too'd this topic