I manage a Palo Alto firewall and have been using External Dynamic Lists to find outside sources listing malicious IPs and domain names and blocking them from our network.
My starting problem - if I didn't take the time to properly configure the certificates, commits would come with a warning for each EDL: External Dynamic List <name> is configured with no certificate profile. Please select a certificate profile for performing server certificate validation.
At one point, I had things done wrong, which led to different errors in the logs: EDL server certificate authentication failed. The associated external dynamic list has been removed, which might impact your policy. EDL Name: <name> All, EDL Source URL: <url>, CN: <cn>, Reason: unable to get local issuer certificate
There are three pieces to this. Uploading the full certificate chain into your firewall, correctly building a certificate profile, and associating the certificate profile with the EDL.
I was having difficulties understanding how to get the certificates. At one point, I didn't understand how to do it in Chrome and I was doing it on Firefox.
In Firefox, you browse to the site in question, and click the padlock in the left of the address bar. A site information box appears, and click the arrow to the right of Connection Secure. Then click More Information at the bottom. A page info window appears - use the View Certificate button.
You get an about:certificate tab to open, and there's a tab for each part of the chain. I was using the Download PEM (cert) link for each certificate.
However...once I learned how to work with certificates in Chrome, I was surprised to see Firefox was showing me 3 certificates in the chain of the site in question, yet Chrome showed me 4! That fourth certificate was obviously a necessary piece of the puzzle.
Working with certificates in Chrome: click the padlock in the left of the address bar. Click Certificate (Valid). Go to the Certification Path tab.
For each certificate in the chain, highlight it and hit the View Certificate button. Go to the Details tab and use the Copy to File... button. You will enter a Certificate Export Wizard. I used the default format, DER encoded binary X.509 (.CER). Name each file so you know the correct order for how they enter in the chain - adding them to your Palo Alto in the correct order, top down, is important.
Once you have all your files, now they need to be added into the firewall. This is done on Device, in Certificates under the Certificate Management section. Import each certificate, starting at the top of your chain.
Once all are imported, let's handle the certificate profile. That is done from the Certificate Profile area in Device, Certificate Management.
Name your Certificate Profile, and add the top 2 certificates that you just imported in the previous set.
Now head to Objects and External Dynamic Lists. Apply your new Certificate Profile to the EDL in question.
You should now commit error free!
No comments:
Post a Comment