The real issue with the use of certificate profiles on external dynamic lists is that the firewall administrator has no control over the actions of 3rd party external dynamic list providers.
The list provider might force you to use HTTPS.
The list provider is free to choose whichever SSL Certificate provider they want.
If the certificate profile becomes invalid due to SSL certificate provider change, the list empties out, and you have no notification of this.
So, how exactly does this provide security if it suddenly fails open?
The GUI's "None (Disable Cert profile)" is a misnomer since it doesn't disable it to the point of no longer warning on policy commit.
A proper fix would be that "None (Disable Cert profile)" does what it says it will do which is to not use it and by disabled means it won't warn about it either.
... View more
I thought I'd share with you a few of the Google Cloud Platform VM-Series deployment challenges I ran into recently. First off, read the documentation carefully, this is a new product and the docs are being updated regularly, not to mention that GCP and their documentation is also constantly undergoing tweaks. One thing that wasn't immediately clear is that the number of NICs is directly delated to the VM CPU core count. You might need to select a custom CPU core count (even count only) if you need more than the basic 3 NICs in your project. You should be aware that you should not reduce the VM CPU core count below 4 as you would not have enough NICs and the deployment will fail. One thing to point out though is that you'll notice in the GUI that there are seven ethernet interfaces regardless of the number of NICs you attach to the project when you deploy it, combined with the management interface, brings the total to eight, but only the first n-NICs are usable depending on the number of CPU cores you selected. Before you rush off and deploy an instance, you will need to create a bunch of VPC Networks with subnets inside each one. The documentation covers this fairly well. You'll typically want External IPs on the Management and External VPCs that will be attached to those respective interfaces. You need to be aware that once the VPC Network is attached to a virtual NIC, it cannot be changed. Plan ahead! The next issue relates to non-default CPU core count. There appears to be an issue with the VM-Series Image template or deployment scripts in the Cloud Launcher. If you use a non-default CPU core count, your public key login won't work until you STOP / START the VM after it has completed the first boot up. Wait until you can access the GUI login page on the management interface, then stop the VM, and start it again. Once the GUI login page is accessible you can SSH to the instance with your public key. Speaking of the public key, there is some confusion in the documentation about this, and the correct format is: admin:ssh-rsa keystring For example: admin:ssh-rsa AAAAB3NzaC9yc2E3H...FpYfsXKz== After a number of false starts, and some great help from Palo Alto's support team, I managed to get a VM instance running, and it is working as expected. I have one outstanding issue, it is the VM Monitoring which doesn't appear to be working...yet.
... View more