Make TLS certification validation configurable in the ipdevpoll Palo Alto ARP plugin #2895
Labels
Comments
lunkwill42
added
enhancement
PaloAlto
discussion
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The initial implementation of the plugin in #2613 ignores all TLS certificates by hardcoded default. This practice is very bad from a security standpoint.
Describe the solution you'd like
Really, the default should always be to verify. Options to disable verification, or to pin to a specific certificate should be added to
ipdevpoll.conf. However, pinned certificates could be different for each firewall, which would require an equally stupid mechanism to pin a certificate for each Palo Alto IP device. The latter we might instead want to store as a custom attribute of the Netbox itself, and just a config option inipdevpoll.confto tell the plugin to use that whenever present?Describe alternatives you've considered
Leave things as they are.
The text was updated successfully, but these errors were encountered: