https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532108#M3718 <P>Hi, greetings.</P> <P>Is there a way to use the CLR to verify the machine/user certificate through globalprotect, to drop connections if the certificate is revoked?</P> Thu, 23 Feb 2023 15:37:56 GMT g-crisostomo 2023-02-23T15:37:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532108#M3718 <P>Hi, greetings.</P> <P>Is there a way to use the CLR to verify the machine/user certificate through globalprotect, to drop connections if the certificate is revoked?</P> Thu, 23 Feb 2023 15:37:56 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532108#M3718 g-crisostomo 2023-02-23T15:37:56Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532110#M3719 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230997">@g-crisostomo</a> ,</P> <P>&nbsp;</P> <P>GP uses a Certificate Profile to authenticate certificates, and it has a check box to use CRL.&nbsp; Theoretically, the authentication should fail if the certificate is revoked.&nbsp; Please let us know the results if you configure it!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TomYoung_0-1677167656244.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/48175i9266342CC6149674/image-size/medium?v=v2&amp;px=400" role="button" title="TomYoung_0-1677167656244.png" alt="TomYoung_0-1677167656244.png" /></span></P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 23 Feb 2023 15:56:25 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532110#M3719 TomYoung 2023-02-23T15:56:25Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532113#M3722 <P>I have marked this option, but how can I assure the CRL is being used?</P> <P>I added the URL from the certificate to the Default OCSP URL but still I can't see how I can refer to the list.</P> Thu, 23 Feb 2023 16:40:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532113#M3722 g-crisostomo 2023-02-23T16:40:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532115#M3724 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230997">@g-crisostomo</a> ,</P> <P>&nbsp;</P> <P>OCSP is a different protocol.&nbsp; If you check the URL box, for every certificate authentication request the NGFW should check the CRL listed in the CA certificate in <EM>the same</EM> certificate profile.&nbsp; The best way to check is to revoke a certificate and see if the authentication fails.&nbsp; If traffic from the management interface to the CRL URL goes through the NGFW, you should also see the session in the logs.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 23 Feb 2023 16:47:44 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532115#M3724 TomYoung 2023-02-23T16:47:44Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532647#M3736 <P>Thank you for your help, I guess I found out whats going on; The CRL listed on certificate in the firewall, is different from the user's certificate CRL, because they have 2 servers issuing certificates and they didn't point me this until now.</P> <P>&nbsp;</P> <P>Thanks once again.</P> Wed, 01 Mar 2023 12:08:13 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/crl-for-globalprotect/m-p/532647#M3736 g-crisostomo 2023-03-01T12:08:13Z