Authentication for External Dynamic Lists
When retrieving external dynamic lists hosted
on SSL/TLS secured servers (servers with an HTTPS URL), the firewall
now validates the digital certificates of the server before proceeding
with the retrieval. You must now enable server authentication for
these external dynamic lists for the firewall to retrieve them.
Additionally, you can now retrieve external dynamic lists hosted
on SSL/TLS secured servers that enforce basic HTTP username/password
authentication (client authentication). Server authentication prevents man-in-the-middle
attacks by ensuring that the firewall retrieves an external dynamic
list from a valid source, not a malicious or spoofed server, while
client authentication allows you to use more secure sources (such
as MineMeld) that limit access
to their external dynamic lists to authorized users. If the certificate
of an external dynamic list server is expired or revoked, or if
you enter incorrect login credentials for the list, authentication
fails. The firewall then ceases to enforce policy based on the list
contents.
In Panorama, you can use external dynamic lists
to enforce policy across multiple firewalls in a device group. Panorama
enforces policy without server and client authentication for firewalls
running PAN-OS 7.1 and earlier versions.
- Select , and click on a dynamic IP, domain, or URL list.
- (New) If the server hosting the external dynamic list is secured with SSL (such as lists with an HTTPS URL), enable server authentication.You cannot edit or save changes to an external dynamic list with an HTTPS URL if you don’t enable server authentication first.Select an existingCertificate Profilefor the list, or create aNew Certificate Profile.A certificate profile authenticates a device and its certificates. The certificate profile you select must have a root CA certificate that matches the certificate installed on the server you are authenticating (also an intermediate CA certificate, if the server has one). It is also recommended that you enable CRL and/or OCSP status verification, which checks the revocation status of the server certificates. Learn more about how to configure a certificate profile.If the external dynamic list source has an HTTP URL, you are not required to select a certificate profile. The firewall connects to the server that hosts the external dynamic list without certificate validation.Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
- (New) If the source of the external dynamic list has an HTTPS URL and requires a username and password for list access, enable client authentication.
- SelectClient Authentication.
- Enter the username and password required by the list source.
- Re-enter the password to confirm it.
- (Optional) Test the connectivity of the firewall to the server hosting the external dynamic list.ClickTest Source URL. A popup indicates whether the server is accessible.TheTest Source URLbutton only verifies that the firewall can connect to the server. It does not check the status of the server’s certificate.
- Save the configuration.ClickOKandCommit.
- External dynamic lists that fail server or client authentication require your immediate attention because the firewall ceases to enforce policy based on their contents. The firewall generates critical system logs to alert you of authentication failure. To manually check if an external dynamic list authenticates successfully, retrieve an external dynamic list from the web server.If a server fails to authenticate, you can disable server authentication as a stop-gap measure until the owner of the external dynamic list addresses the cause of the failure.
