topic Certificate revocation / OCSP not working in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/certificate-revocation-ocsp-not-working/m-p/518248#M493 <P>I've set up one of our PAs (a 5260 running&nbsp;<SPAN>10.1.6-h3)</SPAN> to use as a certificate authority and OCSP responder for use with GlobalProtect remote access. I'm able to issue and verify certificates with no problem, but revoking a client certificate has no effect on whether the&nbsp; able to connect. I'm able to browse to http://&lt;PA IP&gt;/CA/ocsp, but the browser downloads a 0kb file and the device doesn't appear to be updating this revocation information. Do I need to do something else to have the firewall validate this cert?</P> <P>&nbsp;</P> <P>Does the firewall generate the OCSP request from its own management interface, or the interface it's doing the GlobalProtect auth on? I have the service listener set up on the Management interface but that wouldn't be accessible from the outside if that's the case.</P><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Tue, 18 Oct 2022 18:30:07 GMT Derek-Webb 2022-10-18T18:30:07Z Certificate revocation / OCSP not working https://live.paloaltonetworks.com/t5/next-generation-firewall/certificate-revocation-ocsp-not-working/m-p/518248#M493 <P>I've set up one of our PAs (a 5260 running&nbsp;<SPAN>10.1.6-h3)</SPAN> to use as a certificate authority and OCSP responder for use with GlobalProtect remote access. I'm able to issue and verify certificates with no problem, but revoking a client certificate has no effect on whether the&nbsp; able to connect. I'm able to browse to http://&lt;PA IP&gt;/CA/ocsp, but the browser downloads a 0kb file and the device doesn't appear to be updating this revocation information. Do I need to do something else to have the firewall validate this cert?</P> <P>&nbsp;</P> <P>Does the firewall generate the OCSP request from its own management interface, or the interface it's doing the GlobalProtect auth on? I have the service listener set up on the Management interface but that wouldn't be accessible from the outside if that's the case.</P><BR /><BR />Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended. Tue, 18 Oct 2022 18:30:07 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/certificate-revocation-ocsp-not-working/m-p/518248#M493 Derek-Webb 2022-10-18T18:30:07Z Re: Certificate revocation / OCSP not working https://live.paloaltonetworks.com/t5/next-generation-firewall/certificate-revocation-ocsp-not-working/m-p/518737#M499 <P>I believe it uses whatever interface you define in the OCSP responder section. Is that where you've defined the management interface?</P> Fri, 21 Oct 2022 15:35:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/certificate-revocation-ocsp-not-working/m-p/518737#M499 rmfalconer 2022-10-21T15:35:15Z