- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 11:22 AM
Hello,
The user profile we created in service-now authenticates if I enter credentials by hitting the EDL URL from my browser. When I test the same URL from the Palo Alto Firewall(Panorama/v8.1.16) itself, I get a URL access error.
I followed the instructions to download the Entrust Root Certificate Authority and imported that into a PA profile.I assigned a the certificate profile to the EDL in the PA. I have also verified the credentials are correct.
Summary: Palo Alto Networks Next-Generation Firewall
ServiceNow PAN NGFW EDL url is accessible from browser, but not from the PA firewall. Same credentials used.
Any help would be greatly appreciated.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 03:22 PM
https://hi.service-now.com/kb_view.do?sysparm_article=KB0751335
It looks like there is bug with Palo Alto. Take a look at this KB: https://hi.service-now.com/kb_view.do?sysparm_article=KB0751335 PAN-69505 When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (Objects > External Dynamic Lists).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 11:44 AM
Hi,
We saw this issue with another customer where the "Test URL" function is not working. This was the response we got from Palo Alto,
“PAN is aware of this issue for the 8.1 code, and it is documented in PAN 69505. Currently there is no solution and they are working to come up with a fix. Below is a copy of the document with the known issue.https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/8-1/pan-os-release-notes/pan...”"
For that customer the EDLs are refreshing properly. It is just the test function that is not working.
Can you see if the EDLs are refreshing in your firewall?
s
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2019 03:39 PM
Yeah see the PAN IP in logs
06-21-2019 10:24:00
Palo Alto Networks NGFW - EDL - Domains Block List is successful retrieved by PAN firewall: IP - ***.113.160.69. 1187 entries are retrieved
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 03:22 PM
https://hi.service-now.com/kb_view.do?sysparm_article=KB0751335
It looks like there is bug with Palo Alto. Take a look at this KB: https://hi.service-now.com/kb_view.do?sysparm_article=KB0751335 PAN-69505 When viewing an external dynamic list that requires client authentication and you Test Source URL, the firewall fails to indicate whether it can reach the external dynamic list server and returns a URL access error (Objects > External Dynamic Lists).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2019 03:51 PM
Great to hear your EDL refreshes are working and that you discovered the KB. I was not aware it had been published yet. Thanks for posting!
s
