Hi all,
I have some doubts regarding the Cortex XDR agent certificate. I have gone through multiple blogs, which provided some insights, but I am still unable to see the complete picture. Below are the key facts I have gathered so far:
New Certificate Enforcement: Cortex XDR enforced a new certificate because the old certificate was vulnerable to MITM (Man-in-the-Middle) attacks. The previous implementation accepted any certificate for communication as long as it was signed. To mitigate this, Palo Alto Networks now enforces a certificate issued exclusively by them, ensuring stricter validation.
Certificate Enforcement in Different Machines: In new machines, the agent certificate enforcement is enabled by default in agent settings. However, for older machines, the default setting was Disabled (Notify), requiring manual activation. Despite this, I have observed cases where both the old certificate (Trusted Root Certification Authority) and the new certificate (root.pem) are present on the same endpoint. Why does this happen?
Certificate Contents and Purpose: The certificate lists multiple well-known names such as Microsoft, Google, and DigiCert, among others. Does this imply that the certificate is used for communication beyond the Cortex XDR server?
Questions I Need Clarified:
🔹 How does communication with the Cortex XDR server differ between the old and new certificates? 🔹 Why are both the old and new certificates available on some machines? 🔹 How was the old agent certificate used for communication before the enforcement change?
🔹 Do the names listed in the certificate indicate that Cortex XDR communicates with third parties other than the XDR server?
Any insights on these points would be greatly appreciated.
Thanks,
... View more
