Is your feature request related to a problem? Please describe.
The initial implementation of the plugin in #2613 ignores all TLS certificates by hardcoded default. This practice is very bad from a security standpoint.
Describe the solution you'd like
Really, the default should always be to verify. Options to disable verification, or to pin to a specific certificate should be added to ipdevpoll.conf. However, pinned certificates could be different for each firewall, which would require an equally stupid mechanism to pin a certificate for each Palo Alto IP device. The latter we might instead want to store as a custom attribute of the Netbox itself, and just a config option in ipdevpoll.conf to tell the plugin to use that whenever present?
Is your feature request related to a problem? Please describe.
The initial implementation of the plugin in #2613 ignores all TLS certificates by hardcoded default. This practice is very bad from a security standpoint.
Describe the solution you'd like
Really, the default should always be to verify. Options to disable verification, or to pin to a specific certificate should be added to
ipdevpoll.conf. However, pinned certificates could be different for each firewall, which would require an equally stupid mechanism to pin a certificate for each Palo Alto IP device. The latter we might instead want to store as a custom attribute of the Netbox itself, and just a config option inipdevpoll.confto tell the plugin to use that whenever present?Describe alternatives you've considered
Leave things as they are.