Find External Dynamic Lists That Failed Authentication
When an external dynamic list that requires
SSL fails client or server authentication, the firewall generates
a system log of critical severity. The log is critical because the
firewall continues to enforce policy based on the last successful
external dynamic list after it fails authentication, instead of
using the latest version. Use the following process to view critical
system log messages notifying you of authentication failure related
to external dynamic lists.
Construct the following filters to view all messages
related to authentication failure, and apply the filters. For more
information, review the complete workflow to Filter
Server authentication failure—
(eventid eq tls-edl-auth-failure)
Client authentication failure—
(eventid eq edl-cli-auth-failure)
Review the system log messages. The message description
includes the name of the external dynamic list, the source URL for
the list, and the reason for the authentication failure.
The server that hosts the external dynamic list fails authentication
if the certificate is expired. If you have configured the certificate
profile to check certificate revocation status via Certificate Revocation
List (CRL) or Online Certificate Status Protocol (OCSP), the server
may also fail authentication if:
The certificate is
The revocation status of the certificate is unknown.
The connection times out as the firewall is attempting to
connect to the CRL/OCSP service.
that you added the root CA and intermediate CA of the server to
the certificate profile configured with the external dynamic list.
Otherwise, the firewall will not authenticate the list properly.
authentication fails if you have entered the incorrect username
and password combination for the external dynamic list.