Find External Dynamic Lists That Failed Authentication
When an external dynamic list that requires SSL fails client or server authentication, the firewall generates a system log of critical severity. The log is critical because the firewall ceases to enforce policy based on the external dynamic list after it fails authentication. Use the following process to view critical system log messages notifying you of authentication failure related to external dynamic lists.
- Select MonitorLogsSystem.
- Construct the following filters to view all messages
related to authentication failure, and apply the filters. For more
information, review the complete workflow to Filter
- Server authentication failure—(eventid eq tls-edl-auth-failure)
- Client authentication failure—(eventid eq edl-cli-auth-failure)
- Review the system log messages. The message description
includes the name of the external dynamic list, the source URL for
the list, and the reason for the authentication failure.The server that hosts the external dynamic list fails authentication if the certificate is expired. If you have configured the certificate profile to check certificate revocation status via Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP), the server may also fail authentication if:
For more information on certificate profile settings, refer to the steps to Configure a Certificate Profile.Verify that you added the root CA and intermediate CA of the server to the certificate profile configured with the external dynamic list. Otherwise, the firewall will not authenticate the list properly.Client authentication fails if you have entered the incorrect username and password combination for the external dynamic list.
- The certificate is revoked.
- The revocation status of the certificate is unknown.
- The connection times out as the firewall is attempting to connect to the CRL/OCSP service.
- (Optional) Disable Authentication for an External Dynamic List that failed authentication as a stop-gap measure until the list owner renews the certificate(s) of the server that hosts the list.
Use an External Dynamic List in Policy
Use an External Dynamic List in Policy An external dynamic list (formerly called dynamic block list) is a text file that you or another source ...
Configure the Firewall to Access an External Dynamic List
Configure the Firewall to Access an External Dynamic List You must establish the connection between the firewall and the source that hosts the external dynamic ...
Disable Authentication for an External Dynamic List
Disable Authentication for an External Dynamic List Palo Alto Networks recommends that you enable authentication for the servers that host the external dynamic lists configured ...
Deploy SSL Decryption Using Best Practices
Following SSL Decryption deployment best practices help to ensure a smooth, prioritized rollout and that you decrypt the traffic you need to decrypt to safeguard ...
Objects > External Dynamic Lists
Objects > External Dynamic Lists An external dynamic list is an address object based on an imported list of IP addresses, URLs, or domain names ...
SSL Forward Proxy Decryption Profile
The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...
Configure a Certificate Profile
Configure a Certificate Profile Certificate profiles define user and device authentication for Captive Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN, external dynamic list (EDL) ...
Create the Data Center Best Practice Decryption Profiles
Decryption Profiles define the SSL Protocol settings the firewall accepts so you can protect against vulnerable, weak protocols and algorithms. ...
Known Issues Specific to PAN-OS 9.0.2
Review the known issues specific to the PAN-OS 9.0.2 release. ...