Palo Alto | Forcing Device Certificates to Use the Newer Intermediate Certificate

There are situations where Palo Alto device certificates used for the Web Interface or GlobalProtect and issued by 3rd party PKI servers such as ADCS will expire because their root CA or intermediate CA certificates are also expiring. In these cases, the certificates must be renewed.

However, there is a minor bug in Palo Alto devices: if two intermediate certificates share the same issuer (the root CA) but have different expiration dates, all imported certificates from that issuer will incorrectly be associated with the older intermediate certificate.

For example:

A Palo Alto firewall is using a 3rd PKI (Microsoft ADCS) to issue private certificates for the Web Console and GlobalProtect portals/gateways. Palo Alto contains the following certificates installed under Device > Certificate Management > Certificates

Root CA
    Old Intermediate Cert    To be expired soon/already expired
        Current Global Protect cert   To be expired soon/already expired
        Current Firewall 1 Management Cert    To be expired soon/already expired
        Current Firewall 2 Management Cert    To be expired soon/already expired
        Future Global Protect    Expires later date
        Future Firewall 1 Management Cert    Expires later date
        Future Firewall 2 Management Cert    Expires later date
    New Intermediate Cert    Expires later date

As you probably noticed, all Certs are issued by the Old Intermediate Cert which breaks the certificate chain for the future certs.

In order to force the cert to be issued by the new New Intermediate Cert we need to do 2 steps:

1. Make sure the option Trusted Root CA is disabled in the Old Intermediate Cert

2.  On the Palo Alto CLI and using configuration mode, execute this command to force deletion of the Old Intermediate Cert 
delete shared certificate {name of the Old Intermediate Cert}


After doing those steps the new device Certificates structure under Device > Certificate Management > Certificates will look like this:

Root CA
    New Intermediate Cert    Expires later date
        Current Global Protect cert   To be expired soon/already expired
        Current Firewall 1 Management Cert    To be expired soon/already expired
        Current Firewall 2 Management Cert    To be expired soon/already expired
        Future Global Protect    Expires later date
        Future Firewall 1 Management Cert    Expires later date
        Future Firewall 2 Management Cert    Expires later date
   
Which means that Certificate chain is now correct and we can proceed in change SSL/TLS service profile certs corresponding for Global Protect and Management.





Comentarios

Publicar un comentario

Entradas populares de este blog

EVE-NG: Instalación de EVE-NG

Imagen
EVE-NG es un emulador de redes muy útil para crear topologias de redes de forma virtualizada. Os voy a explicar el proceso de instalación del software en base a mi experiencia Requisitos para hacer uso de EVE-NG: - Instalar VMware Workstation Player (Versión de uso personal) - Tener un buen ordenador (El mío tiene 8 GB de Ram, Intel i7 dual-core, Disco duro SSD, etc)  con suficiente espacio de almacenamiento.Yo tengo un Windows 10 professional - Tener conocimientos de Linux básicos (Crear carpetas, mover archivos, cambiar IP del sistema ,etc) - Instalar Filezilla en el PC para hacer transferencias de archivos locales hacia EVE-NG Paso 1  Descargar el OVF de EVE-NG desde la pagina oficial. Tener en cuenta que hay dos versiones: la profesional y la personal. Yo he utilizado la versión personal para ello. Paso 2 Abrir VMware workstation e abrir el archio OVF para instalar EVE-NG. Importante!!  El adaptador de red (Network adapter) esta en modo bridge. Por lo que he podido l...
Leer más

Cisco Security | Bloquear MAC address en un switch

Nos gustaría bloquear el acceso a la siguiente dirección MAC en un switch -> aaaa.1234.bbbb    Para ello hemos de configurar MAC Filtering por VLAN y lo hariamos de la siguiente manera: SW1# conf t SW1(config)# mac-address-table static aaaa.1234.bbbb vlan 10 drop SW1(config)# mac-address-table static aaaa.1234.bbbb vlan 20 drop SW1(config)# end SW 1# show mac address-table static address aaaa.1234.bbbb Unicast Entries vlan mac address type protocols port -------+---------------+--------+---------------------+-------------------- 10         aaaa.1234.bbbb static ip,ipx,assigned,other Drop 20         aaaa.1234.bbbb static ip,ipx,assigned,other Drop
Leer más

Fortigate: Capturar paquetes (Packet capture/sniffer)

Para capturar paquetes de red en dispositivos Fortigate estos algunos de los comandos que utilizo: diagnose sniffer packet any 'src host <sourceip> or dst host <destinationip>' 1 diagnose sniffer packet any 'src host <sourceip> or dst host <destinationip>' 1 diagnose sniffer packet any 'src host <sourceip> or dst host <destinationip> and icmp' 1 diagnose sniffer packet any 'src host <sourceip> or dst host <destinationip> and tcp' 1
Leer más