Authentication for External Dynamic Lists

When retrieving external dynamic lists hosted on SSL/TLS secured servers (servers with an HTTPS URL), the firewall now validates the digital certificates of the server before proceeding with the retrieval. You must now enable server authentication for these external dynamic lists for the firewall to retrieve them. Additionally, you can now retrieve external dynamic lists hosted on SSL/TLS secured servers that enforce basic HTTP username/password authentication (client authentication). Server authentication prevents man-in-the-middle attacks by ensuring that the firewall retrieves an external dynamic list from a valid source, not a malicious or spoofed server, while client authentication allows you to use more secure sources (such as MineMeld) that limit access to their external dynamic lists to authorized users. If the certificate of an external dynamic list server is expired or revoked, or if you enter incorrect login credentials for the list, authentication fails. The firewall then ceases to enforce policy based on the list contents.
In Panorama, you can use external dynamic lists to enforce policy across multiple firewalls in a device group. Panorama enforces policy without server and client authentication for firewalls running PAN-OS 7.1 and earlier versions.
  1. Select ObjectsExternal Dynamic Lists, and click on a dynamic IP, domain, or URL list.
  2. (New) If the server hosting the external dynamic list is secured with SSL (such as lists with an HTTPS URL), enable server authentication.
    You cannot edit or save changes to an external dynamic list with an HTTPS URL if you don’t enable server authentication first.
    Select an existing Certificate Profile for the list, or create a New Certificate Profile.
    A certificate profile authenticates a device and its certificates. The certificate profile you select must have a root CA certificate that matches the certificate installed on the server you are authenticating (also an intermediate CA certificate, if the server has one). It is also recommended that you enable CRL and/or OCSP status verification, which checks the revocation status of the server certificates. Learn more about how to configure a certificate profile.
    If the external dynamic list source has an HTTP URL, you are not required to select a certificate profile. The firewall connects to the server that hosts the external dynamic list without certificate validation.
    Maximize the number of external dynamic lists that you can use to enforce policy. Use the same certificate profile to authenticate external dynamic lists from the same source URL. If you assign different certificate profiles to external dynamic lists from the same source URL, the firewall counts each list as a unique external dynamic list.
  3. (New) If the source of the external dynamic list has an HTTPS URL and requires a username and password for list access, enable client authentication.
    1. Select Client Authentication.
      edl-client-auth.png
    2. Enter the username and password required by the list source.
    3. Re-enter the password to confirm it.
  4. (Optional) Test the connectivity of the firewall to the server hosting the external dynamic list.
    Click Test Source URL. A popup indicates whether the server is accessible.
    The Test Source URL button only verifies that the firewall can connect to the server. It does not check the status of the server’s certificate.
  5. Save the configuration.
    Click OK and Commit.
  6. Find external dynamic lists that failed authentication.
    External dynamic lists that fail server or client authentication require your immediate attention because the firewall ceases to enforce policy based on their contents. The firewall generates critical system logs to alert you of authentication failure. To manually check if an external dynamic list authenticates successfully, retrieve an external dynamic list from the web server.
    If a server fails to authenticate, you can disable server authentication as a stop-gap measure until the owner of the external dynamic list addresses the cause of the failure.

Related Documentation