https://live.paloaltonetworks.com/t5/next-generation-firewall/override-url-ocsp-and-responder-ocsp-global-protect-vpn/m-p/1257712#M6999 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280315">@HAINVH</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN>What have you tried so far?</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>You should be able to host OCSP on an alternate interface instead of tying it to the management IP.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>A few things I would be mindful of:</SPAN></P> <UL data-spread="false"> <LI><SPAN>The interface should have an Interface Management Profile applied with </SPAN><STRONG><SPAN>HTTP OCSP</SPAN></STRONG><SPAN> enabled.</SPAN></LI> <LI><SPAN>The OCSP responder hostname/IP should resolve to the data-plane or loopback interface.</SPAN></LI> <LI><SPAN>Routing and security policy need to allow the OCSP traffic.</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 30 Jun 2026 01:18:10 GMT JayGolf 2026-06-30T01:18:10Z https://live.paloaltonetworks.com/t5/next-generation-firewall/override-url-ocsp-and-responder-ocsp-global-protect-vpn/m-p/1257667#M6998 <P>Hi everyone,</P> <P>present, i have VPN global protec</P> <P>Authentication two factor with certificate and radius, by interface management&nbsp;</P> <P><SPAN>The current setup is as follows:</SPAN></P> <UL> <LI><SPAN>The Palo Alto firewall acts as both the gateway and the OCSP responder.</SPAN></LI> <LI><SPAN>The OCSP responder is configured to use the management IP address, and the OCSP Override URL also points to the management IP.</SPAN></LI> </UL> <P><SPAN>Because certificate validation relies on the management IP, a failover to the HA peer causes certificate validation to fail. In addition, having only a single management link creates a potential single point of failure.</SPAN></P> <P><SPAN>To improve resiliency, I would like to use either a data-plane IP address or a loopback IP address as the OCSP responder, and configure the OCSP Override URL to point to that loopback or data-plane IP instead.</SPAN></P> <P><SPAN>However, I’ve tried several configurations without success.</SPAN></P> <P><SPAN>Could you please help me understand how to achieve this?</SPAN></P> <P>with 1000user i dont want create new all</P> Mon, 29 Jun 2026 14:56:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/override-url-ocsp-and-responder-ocsp-global-protect-vpn/m-p/1257667#M6998 HAINVH 2026-06-29T14:56:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/override-url-ocsp-and-responder-ocsp-global-protect-vpn/m-p/1257712#M6999 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280315">@HAINVH</a>&nbsp;,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="isSelectedEnd"><SPAN>What have you tried so far?</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>You should be able to host OCSP on an alternate interface instead of tying it to the management IP.</SPAN></P> <P class="isSelectedEnd">&nbsp;</P> <P class="isSelectedEnd"><SPAN>A few things I would be mindful of:</SPAN></P> <UL data-spread="false"> <LI><SPAN>The interface should have an Interface Management Profile applied with </SPAN><STRONG><SPAN>HTTP OCSP</SPAN></STRONG><SPAN> enabled.</SPAN></LI> <LI><SPAN>The OCSP responder hostname/IP should resolve to the data-plane or loopback interface.</SPAN></LI> <LI><SPAN>Routing and security policy need to allow the OCSP traffic.</SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 30 Jun 2026 01:18:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/override-url-ocsp-and-responder-ocsp-global-protect-vpn/m-p/1257712#M6999 JayGolf 2026-06-30T01:18:10Z